Three vulnerabilities present in WordPress frequently used by e-learning and Fortune 500 were subject to severe security issues.
Check Point published a research confining to three popular WordPress plugins, LearnPress, LearnDash, and LifterLMS, learning management systems (LMS) which is largely used for educational purposes.
LMS platforms are used to manage free as well as paid online courses to host student resources, issue and mark assignments, and to facilitate discussion between students.
LearnPress plugin which is developed by ThimPress, is used for creating and publishing courses with more than 80,000 active installations. LearnDash is another LMS course creation bolt-on used by universities and Fortune 500 companies which comes to around 33,000 websites and LifterLMS is a course and membership website creation plugin having at least 10,000 active installs.
Check Point inspected these plugins in detail and found four vulnerabilities — CVE-2020-6008, CVE-2020-6009, CVE-2020-6010, and CVE-2020-6011 — which includes privilege escalation to remote code execution (RCE) flaws.
According to the researchers, these vulnerabilities allow regular students and at times even unauthenticated users to get sensitive information or take control of the LMS platforms.
The students or remote unauthenticated attackers can exploit the security flaws to hijack e-learning platforms, steal sensitive data, change grades, adjust the assignments, make certificates, and also drain money away from LMS platforms by offering paid courses.
The vulnerability, CVE-2020-6010 which is an SQL injection flaw affects LearnPress versions 184.108.40.206 and below.
The vulnerability, CVE-2020-6011, also affects the same LMS plugin and this bug was caused by legacy code left in the system and could be used to give a user the same privileges as a teacher without checking on account permissions.
The vulnerable functions of both the vulnerabilities were completely removed from the new patched version.
Another vulnerability, CVE-2020-11511 which affects the version 220.127.116.11 and below, was disclosed by the Wordfence security team on April 28. This bug can be exploited to elevate privileges to an “instructor” level, similar to that of an author.
The vulnerability CVE-2020-6009 affects LearnDash versions 3.1.6 and below. It is also an unauthenticated second-order SQL injection issue.
The vulnerability CVE-2020-6008 is an arbitrary file-write vulnerability found in LifterLMS versions 3.37.15 and below. This flaw exists in how PHP and Ajax files are handled, allowing the attackers to intercept requests to write PHP files without permission and remotely execute code.
Check Point’s findings were reported to the vendors and updated patched versions have been released. The users are recommended to update the plugins to the latest versions to stay protected.
Check Point vulnerability researcher Omri Herscovici stated that educational institutions and online academies depend on the systems that they researched to run their entire online courses and training programs.
Learning management systems is widely used now, especially at a time when distance learning is being adopted due to the coronavirus outbreak.