Security researchers are concerned about recently discovered vulnerabilities in some of the popular online plug-ins for the Learning Management System (LMS) that various organizations and universities use to deliver online courses on their WordPress-based websites.
According to Check Point’s research team, the three specified WordPress plug-ins – LearnPress, LearnDash and LifterLMS – have security holes that allow both students and non-authenticated users to steal personal information from registered users and even obtain the teacher’s rights.
According to Omri Gershovic of Check Point Research we do everything we have at home, including formal education, because of the coronavirus. The vulnerabilities found make it possible for students and sometimes non-authenticated users to access confidential information or gain control over the LMS platform.
Three LMS systems have been installed on approximately 100,000 different educational platforms, including major universities such as the University of Florida, the University of Michigan and the University of Washington.
The LearnPress and LifterLMS systems have been downloaded more than 1.6 million times since their introduction.
Multiple vulnerabilities in WordPress LMSplug-ins
The LMS facilitates e-learning through a software application that enables schools and employers to create curricula, share course work, enroll students and evaluate students through quizzes.
Plug-ins such as LearnPress, LearnDash and LifterLMS make it easy to adapt any WordPress site to a fully functional and easy-to-use LMS system.
New bugs in LearnPress range from blind SQL injection (CVE-2020-6010) to privilege escalation (CVE-2020-6011), allowing an existing user to retain the role of a teacher.
Suddenly, the code no longer checks the requesting user permissions, so that every student can call this feature, the researchers said.
LearnDash also suffers from a lack of SQL Injection (CVE-2020-6009), which allows the enemy to create a malicious SQL query using PayPal’s Instant Payment Notification Service (IPN) simulator to cause false login transactions.
Finally, a random write vulnerability in LifterLMS (CVE-2020-6008) takes advantage of the dynamic nature of PHP applications to enable an attacker, such as a hacker, to exploit the vulnerability. For example, by giving a student who has registered for a certain course the possibility to change the name of his profile into a malicious piece of PHP code.
In general, the disadvantages allow the attackers to steal personal information (names, e-mail addresses, usernames, passwords, etc.) and the students to change grades, receive tests and test answers in advance and falsify certificates.
The platforms provide for a payment, so that the financial regulation applies, even if the website is modified without informing the webmaster, the researchers warned.
Check Point Research reported that vulnerabilities were discovered in March and responsibly disclosed to the respective platforms. Since then, all three LMS systems have released patches to fix the problems.
Users are advised to update these plug-ins with the latest versions.