Distance learning is not that safe. Vulnerabilities in WordPress LMS plugins used by top universities

Cybersecurity specialists warn about a newly discovered set of vulnerabilities in some popular online learning management system (LMS) plugins that various organizations and universities use to offer online training courses through their WordPress-based websites.

According to Check Point researchers, the three WordPress plugins in question (LearnPress, LearnDash, and LifterLMS) have security flaws that could allow students, as well as unauthenticated users, to steal personal information from any registered user, and even gain administrator privileges.

“Many activities are being carried out remotely, including learning; these flaws allow any user to compromise these tools, interrupting the remote learning process,” says Omri Herscovici, a Check Point researcher.

All three LMS systems are installed on approximately 100,000 different educational platforms, including major universities such as the University of Florida, the University of Michigan and the University of Washington, among others. LearnPress and LifterLMS have only been downloaded more than 1.6 million times since its release.

LearnPress flaws range from SQL injection (CVE-2020-6010) to privilege escalation (CVE-2020-11511), which can allow a user to obtain the role of master or administrator. The code does not verify the requesting user’s permissions, so it allows any student to call this function.

On the other hand, LearnDash suffers from a SQL injection vulnerability (CVE-2020-6009) that allows an adversary to develop a malicious SQL query using PayPal’s Instant Payment Notification (IPN) message service simulator to trigger enrollment transactions on fake courses.

The LifterLMS Arbitrary File Writing Vulnerability (CVE-2020-6008) exploits the dynamic nature of PHP applications to allow a threat actor or student without administrator privileges to replace their profile name with a malicious PHP fragment.

The Check Point Research team also mentioned that the vulnerabilities were discovered in March and revealed according to the parameters set by the cybersecurity community. After the flaws were publicly disclosed, the three LMS systems released the corresponding updates to correct these failures.

Vulnerable deployment administrators are encouraged to install updates as soon as possible to mitigate the risk of exploitation.

For further reports on vulnerabilities, exploits, malware variants and computer security risks you can access the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.