Educational establishments using the plugins are urged to update to the latest versions immediately to prevent exploitation
As Covid-19 forces students and employees to learn and train from home, researchers from Check Point have found serious vulnerabilities in the three most widely-used WordPress plugins that are used for large-scale online learning:
If not fixed, the flaws could enable students, as well as unauthenticated users, to steal personal information, siphon money and/or attain teacher privileges from the online learning platforms.
Researchers at Check Point have identified serious security flaws in the most widely-used plugins powering online learning platforms. As the Covid-19 pandemic forces people everywhere into their homes, top academic institutions and Fortune 500 companies are relying on learning management systems (LMS) to conduct virtual classes without having students or employees come into a physical classroom.
Check Point Research discovered the security flaws in the three leading WordPress plugins, LearnPress, LearnDash and LifterLMS, which transform any WordPress website into a fully functioning and easy-to-use LMS. The three plugins are used by Fortune 500 companies and some of the top universities in the world, including the University of Florida, University of Michigan, University of Washington, and are installed on approximately 100,000 different educational platforms.
The vulnerabilities, which ranged from Privilege Escalation through to SQL Injection, to full Remote Code Execution capability, would have enabled students, as well as unauthenticated users, to steal personal information, siphon money and/or attain teacher privileges.
Specifically, a person could leverage the security flaws to:
- Steal personal information: names, emails, usernames and passwords
- Funnel money from an LMS into their own bank accounts
- Change grades for themselves
- Change grades for peers
- Forge certificates
- Retrieve test answers
- Escalate their privileges to that of a teacher
Check Point Vulnerability Research Team Leader, Omri Herscovici said:
“Because of coronavirus, we’re doing everything from our homes, including our formal learning. Students and employees logging into eLearning sites probably don’t know just how dangerous that can be. We proved that hackers could easily take control of the entire eLearning platform.
“Top educational institutions, as well as many online academies, rely on the systems that we researched in order to run their entire online courses and training programs. The vulnerabilities found allow students, and sometimes even unauthenticated users, to gain sensitive information or take control of the LMS platforms. We urge the relevant educational establishments everywhere to check if they are using these plugins and update to the latest versions of them.”
Responsible disclosure and vulnerability fixes
Researchers found the vulnerabilities in a span of two weeks during March 2020. Check Point responsibly disclosed each of the vulnerabilities in the respective platforms to the appropriate developers. All of the vulnerabilities were patched, and were given these CVE entries: CVE-2020-6008, CVE-2020-6009, CVE-2020-6010 and CVE-2020-6011. IT teams running LMS platforms should check if they are using the affected plugins and update to the latest versions to close the vulnerabilities.
About Learning Management Systems
An LMS is a vast repository where educational information is stored and tracked. Anyone with a login and password can access these online training resources any time, from any location. The most common use for LMS software is to deploy and track online training initiatives. Typically, assets are uploaded to the LMS, making them easily accessible for remote learners.
As millions of people log-in to online courses from home because of coronavirus, academic institutions and employers use a LMS to virtually create classes, share coursework, enroll students, and evaluate students with quizzes.
Details of the affected plugins are:
- LearnPress: Plugin that creates courses with quizzes and lessons as the students move through the curriculum. Used in over 21,000 schools and boasts 80,000 installations.
- LearnDash: Plugin that provides tools for content dripping, selling courses, rewarding learners, and activating triggers based on actions. Over 33,000 websites use LearnDash, including many in the Fortune 500, as well as the University of Florida, University of Michigan, and University of Washington
- LifterLMS: Plugin that provides sample courses, sample quizzes, certificates, and a fully configured website. Over 17,000 websites use this plugin, including WordPress agencies and educators, along with various school and educational establishments.