The “vulnerability” is precisely the functionality of the plugin. There is no patch for that, as the only way to show a tour with a skin is to upload that JavaScript to your WordPress website. Of course, there can be nasty things in that tour if it comes from an untrusted source.
The only solution is to NOT give untrusted/anonymous people upload privileges to your website, which is, in my humble opinion, a good idea in the first place. Independent of whether you use our plugin or not.
If the website requires untrusted/anonymous users to upload any data files, and this security vulnerability concerns you, you should not use our plugin.
We have now found a way to add capability settings in version 2.5.0 so that the upload is only allowed for admins and users that have the “upload_ggpkg” capability.
