[CommitSyn]

Now's a great time to learn how to read basic PHP and how to modify code to sanitize input. It's low-hanging knowledge that won't take much time. You're not going to prevent the OWASP top30, but you can stop SQLi and XSS and maybe get more into webappsec.

Input going into DB: https://wordpress.stackexchange.com/questions/114344/how-to-...

Input being displayed from DB: https://developer.wordpress.org/reference/functions/sanitize...

But also, steal his cookie. Allow the student to become the teacher and see if he takes it as a humble learning experience.