Security researchers from Check Point Research Team discovered critical vulnerabilities in three popular e-learning plugins for WordPress sites.

Security researchers at Check Point Research Team are warning of recently discovered vulnerabilities in some popular online learning management system (LMS) WordPress plugins. The impact could be serious because these WordPress plugins are used for WordPress sites by several organizations and universities use to offer online training courses, especially during the COVID-19 pandemic.

The impacted WordPress plugins are LearnPressLearnDash, and LifterLMS, the issued could be exploited by unauthenticated users, to steal personal information of registered users to achieve teacher privileges.

The 3 plugins are installed on more than 100,000 different educational platforms used by several universities such as the University of Florida, University of Michigan, University of Washington as well as hundreds of online academies. LearnPress and LifterLMS have been already downloaded over 1.6 million times.

“Our approach was to see if a motivated student can accomplish the childhood dream of every hacker – take control of his educational institution, get test answers and even change students’ grades.” reads the post published by Check Point.

Experts discovered multiple issues in the LearnPress plugin, including a blind SQL injection (CVE-2020-6010) and privilege escalation (CVE-2020-6011), that could allow an existing user to achieve a teacher’s role.

The issued affects Vulnerable LearnPress plugin versions prior 3.2.6.7.

“This vulnerability is a good example of legacy code forgotten behind resulting in a privilege escalation in the current design of the system.” reads the description for the CVE-2020-11511 flaw (Becoming a Teacher).

“The function learn_press_accept_become_a_teacher can be used to upgrade a registered user to a teacher role, resulting in a privilege escalation. Unexpectedly, the code doesn’t check the permissions of the requesting user, therefore letting any student call this function.”

Experts also discovered a SQL injection flaw (CVE-2020-6009) in the LearnDash WordPress plugin that could be exploited to trigger fake course enrollment transactions by crafting a malicious SQL query using PayPal’s Instant Payment Notification (IPN) message service simulator.

Coding

The researchers also discovered an arbitrary file write vulnerability (CVE-2020-6008) in the LifterLMS, it could allow a student registered for a specific course, to change their profile name by using a malicious piece of PHP code.

“In total, we found 4 vulnerabilities that were assigned CVE-2020-6008, CVE-2020-6009 and CVE-2020-6010 and one duplicate CVE-2020-11511.” continues the report.

“These vulnerabilities allow students and sometimes even unauthenticated users to gain sensitive information, edit personal records, and even take control of the LMS platforms.”

The development teams behind the three LMS systems have already released patches to address the issues.

Due to the recent popularity of the E-Learning platforms, experts urge users to upgrade to the latest versions of these platforms:

Please give me your vote for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
https://docs.google.com/forms/d/e/1FAIpQLSe8AkYMfAAwJ4JZzYRm8GfsJCDON8q83C9_wu5u10sNAt_CcA/viewform

Pierluigi Paganini