Popular WordPress plugins for creating learning management systems (LMS) are rife with vulnerabilities that can be exploited to take control of the platform, get test answers, and modify grades.
These days, such platforms have become the main instrument for delivering courses. Teachers, professors, and possibly hundreds of thousands of students for hundreds of thousands of students rely on them to keep education at levels as close to normal as possible.
Significant impact
LearnPress, LearnDash, and LifterLMS are together part of at least 100,000 websites. Some of them are managed by accredited educational institutions like schools, academies, and universities (Florida, Washington, Michigan); others are used by companies to deliver training sessions (paid or free).
Security researchers at Check Point analyzing the three WordPress plugins found bugs that are more or less trivial to exploit. They provide technical details in a report released today.
In total, they discovered four flaws that could be used to steal personal information (names, emails, usernames, passwords), modify payment schemes, change grades, forge certificates, get their hands on tests in advance, or become teachers.
Some of the vulnerabilities could be exploited without authentication and achieve remote code execution, meaning that an external attacker could take over the LMS platform.
The flaws
Versions of LearnPress 3.2.6.7 and earlier are vulnerable to a time-based blind SQL injection (CVE-2020-6010) that is trivial to leverage and could be avoided by properly sanitizing user input through prepared SQL statements.
Exploiting this problem allows authenticated users to query the system for administrator usernames and hashed passwords. Cracking the passwords depends on how strong they are.
Another glitch on the same platform, tracked as CVE-2020-6011, allows an attacker to assume the role of a teacher by escalating privileges on the system. This possible by taking advantage of legacy code still present in the product.
In LearnDash versions lower than 3.1.6, the researchers found an unauthenticated second-order SQL injection (CVE-2020-6009) that is more difficult to exploit but could also have been prevented through prepared statements.
Looking at LifterLMS, Check Point researchers Omri Herscovici and Sagi Tzadik found that versions lower than 3.37.15 suffer from an arbitrary file write (CVE-2020-6008).
An attacker could exploit this flaw by simply adding malicious PHP code to their first name. This could let them achieve code execution on the server via a planted webshell.
In the video below, you can see how the researchers were able to exploit the vulnerabilities they found in the three LMS plugins for WordPress:
Check Point has informed the developers of the three plugins of the discovered vulnerabilities and new versions have been released to fix the issues. Administrators of websites running these plugins are strongly advised to install the updates.
Check out some of our other top blogs here:
