Critical Vulnerabilities Found In 3 Popular e-Learning Plugins For WordPress Sites
On Thursday, Check Point published research surrounding three popular WordPress plugins, LearnPress, LearnDash, and LifterLMS, learning management systems (LMS) widely used for educational purposes especially at a time when distance learning is being more widely adopted due to the coronavirus outbreak. Three WordPress vulnerabilities commonly used by e-learning and Fortune 500 were subject to severe security issues, researchers say.
The vulnerable plugins have been installed on more than 130,000 school websites including ones used the University of Florida, University of Michigan and University of Washington. Schools leverage these plugins as part of their learning management systems (LMS). LMS platforms, used to administer, track and organize coursework, are vital right now for schools quickly moving classrooms online during the coronavirus pandemic.
LearnPress is used on LMS platforms to create courses with quizzes and lessons for students, and has an install base of 80,000. LearnDash provides tools for selling online coursework, and is used by more than 33,000 websites. And, LifterLMS provides sample course and quizzes, and is used by more than 17,000 websites.
Omri Herscovici, Check Point vulnerability research team leader, said:
“We proved that hackers could easily take control of the entire e-learning platform. Top educational institutions, as well as many online academies, rely on the systems that we researched in order to run their entire online courses and training programs,”
“The vulnerabilities found allow students, and sometimes even unauthenticated users, to gain sensitive information or take control of the LMS platforms. We urge the relevant educational establishment everywhere to update to the latest versions of all the platforms.”
“Because of coronavirus, we’re doing everything from our homes, including our formal learning,”
It is possible, Check Point says, for students or remote, unauthenticated attackers to exploit the security flaws to hijack e-learning platforms, steal sensitive data, change grades, tamper with assignments, forge certificates, and potentially siphon money away from LMS platforms offering paid courses.
Multiple Vulnerabilities in WordPress LMS Plugins
LMS facilitates online learning via a software application that lets academic institutions and employers create course curriculum, share coursework, enroll students, and evaluate students with quizzes. Plugins such as LearnPress, LearnDash, and LifterLMS make it easy by adapting any WordPress site to a fully functioning and easy-to-use LMS.
The flaws range in seriousness and impact, but could allow third-party attackers to steal personal information (such as names, emails, usernames and passwords) or target the financial payment methods that are tied to the platforms. In addition, the flaws could have given students the ability to change the grades for themselves or their friends, retrieve tests before they are administered, escalate their privileges to those of a teacher and forge graduation certificates.
Threatpost has reached out to LearnPress, LearnDash and LifterLMS for further comment.
Researchers found the flaws in a span of two weeks during March. All vulnerabilities have since been reported to the plugins and patched.
A time-based blind SQL injection vulnerability (CVE-2020-6010) exists in versions 18.104.22.168 and earlier of LearnPress, which researchers said “is very trivial to identify and exploit.” Specifically, the flaw exists in the method _get_items of the class LP_Modal_Search_Items. The method fails to sufficiently sanitize user-supplied data before using it in an SQL query. This can be exploited by an authenticated attacker by merely specially crafted request to the /wp-admin/admin-ajax.php endpoint page.
The second vulnerability, CVE-2020-6011, also impacts the same LMS plugin. This particular bug was caused by legacy code left in the system and could be used to give a user the same privileges as a teacher — without checking on account permissions.
In versions earlier than 3.1.6 of LearnDash, researchers found an unauthenticated second order SQL injection (CVE-2020-6009), stemming from the ld-groups.php file. The file failed to sanitize user-suppled data before using it in an SQL query. Similar to CVE-2020-6010, this flaw enables attackers to access the entire content of the database and steal personal information. The flaw ranks 9.8 out of 10 on the CVSS scale, making it critical in severity.
Finally, researchers found an arbitrary file-write flaw (CVE-2020-6008) in versions earlier than 3.37.15 of LifterLMS. The flaw exists due to the insufficient validation of files during file upload; remote attackers can leverage the flaw to execute code and effectively take over the learning platforms. This flaw ranks 9.8 out of 10 on the CVSS scale, making it critical severity.
“The SQL injection is very dangerous since it allows stealing the entire database of the website with all the information, including the admin’s hashed password,” Herscovici told Threatpost. “But the most dangerous one is the arbitrary file-write (CVE-2020-6008) which allows the attacker to upload any code of their own to the server, thus instantly achieving full remote code execution.”
Check Point Research said the vulnerabilities were discovered in March and were responsibly disclosed to the concerned platforms. All three LMS systems have since released patches to address the issues.
It’s recommended that users upgrade to the latest versions of these plugins.