According to research from Checkpoint disclosed high-risk severity flaws that are found in WordPress popular Learning Management System Plugins LearnPress, LearnDash and LifterLMS used by more than 100,000 school websites including reputed universities such as the University of Florida, the University of Michigan, and the University of Washington, among others.
Various educational platforms leverage these e-Learning plugins as a Learning Management System(LMS) to administer, track and create different courses. With many students consuming online courses it becomes easy for students who want to try their hands in hacking.
The vulnerabilities range from Privilege Escalation through SQL Injection up to full Remote Code Execution. It could allow attackers to steal personal information such as names, emails, usernames and passwords or target the financial payment methods on the platform. Also with successful exploit students have the ability to change their grades or of any student, access tests, escalate their privileges to that of a teacher and forge graduation certificates.
In total, CheckPoint Research Team found 4 vulnerabilities that were assigned CVE-2020-6008, CVE-2020-6009 and CVE-2020-6010 and one duplicate CVE-2020-11511. “The vulnerabilities found allow students, and sometimes even unauthenticated users, to gain sensitive information or take control of the LMS platforms. We urge the relevant educational establishment everywhere to update to the latest versions of all the platforms.”CheckPoint Research’s Omri Herscovici said.
Vulnerable version 22.214.171.124
The most popular Learning Management System in India and worldwide. It enables website administrators to easily manage, create and sell online courses. According to the WordPress plugin website it has more than 80,000+ installations and it is utilized by more than 21,000+ schools.
A time-based blind SQL injection vulnerability (CVE-2020-6010) and privilege escalation vulnerability (CVE-2020-11511) is present in version 126.96.36.199.
Vulnerable version 3.1.6
With over 33,000 websites currently running on LearnDash. Mostly used in the United States integrated into Fortune 500 companies as well as in leading universities. An unauthenticated Second-Order SQL Injection vulnerability (CVE-2020-6009) is found LearnDash with a CVSS score of 9.8 out of 10 making it a severe vulnerability.”This vulnerability is easy to spot but much harder to exploit” said Checkpoint researcher.
Vulnerable version 3.37.15
A total of 17,000 websites are using this plugin including WordPress educators and various educational platforms. A Arbitrary File Write vulnerability (CVE-2020-6008) with a CVSS score of 9.8 out of 10. It allows an attacker, e.g. a student registered for a specific course, to change their profile name to a malicious piece of PHP code shown in this demo provided by CheckPoint.
Please upgrade to the latest versions of these platforms:
- LifterLMS – https://downloads.wordpress.org/plugin/lifterlms.3.37.16.zip
- LearnPress – https://downloads.wordpress.org/plugin/learnpress.188.8.131.52.zip
- LearnDash – https://www.learndash.com/