As coronavirus forces students and employees to learn and train from home, Check Point Research finds vulnerabilities in the most widely-used plugins powering online learning for top academic institutions and Fortune 500 companies.
• Security flaws in the three marquee WordPress plugins: LearnPress, LearnDash and LifterLMS
• Students, as well as unauthenticated users, can abuse security flaws to steal personal information, siphon money and attain teacher privileges
• Plugins are used by top academic institutions: University of Florida, University of Michigan, University of Washington and 100k other educational platform
Security researchers at Check Point identified security flaws in the most widely-used plugins powering online learning. As coronavirus forces people everywhere into their homes, top academic institutions and Fortune 500 companies are relying on learning management systems (LMS) to conduct virtual classes without having students or employees come into a physical classroom. Check Point Research discovered the security flaws in the three marquee WordPress plugins, named LearnPress, LearnDash and LifterLMS. The vulnerabilities enable students, as well as unauthenticated users, to steal personal information, siphon money and/or attain teacher privileges.
What is a Learning Management System?
Think of an LMS as a vast repository where you can store and track educational information. Anyone with a login and password can access these online training resources whenever and wherever. The most common use for LMS software is to deploy and track online training initiatives. Typically, assets are uploaded to the LMS, making them easily accessible for remote learners. As millions of people log-in to online courses from home because of coronavirus, academic institutions and employers use a LMS to virtually create classes, share coursework, enroll students, and evaluate students with quizzes.
Found: Security Flaws in WordPress’ Plugins
The security flaws were found in LearnPress, LearnDash and LifterLMS. Either of these three plugins can transform any WordPress website into a fully functioning and easy-to-use LMS. The three plugins are used by Fortune 500 companies and some of the top universities in the world, including the University of Florida, University of Michigan, University of Washington, and are installed on approximately 100,000 different educational platforms. Each plugin is described further below:
• LearnPress: Plugin that creates courses with quizzes and lessons as the students move through the curriculum. Used in over 21,000 schools and boasts 80,000 installations.
• LearnDash: Plugin that provides tools for content dripping, selling courses, rewarding learners, and activating triggers based on actions. Over 33,000 websites use LearnDash, including many in the Fortune 500, as well as the University of Florida, University of Michigan, and University of Washington
• LifterLMS: Plugin that provides sample courses, sample quizzes, certificates, and a fully configured website. Over 17,000 websites use this plugin, including WordPress agencies and educators, along with various school and educational establishments.
Change Grades. Forge Certificates. Cheat the LMS System
These vulnerabilities enable students, as well as unauthenticated users to gain sensitive information and/or take control of the entire eLearning platform. Specifically, a person could leverage the security flaw to:
• Steal personal information: names, emails, usernames and passwords
• Funnel money from an LMS into their own bank accounts
• Change grades for themselves
• Change grades for peers
• Forge certificates
• Retrieve test answers
• Escalate their privileges to that of a teacher
The vulnerabilities were found in a span of two weeks during the month of March 2020. Check Point researchers responsibly disclosed each of the vulnerabilities in the respective platforms to the appropriate developers. All three systems patched the vulnerabilities, which were assigned CVE-2020-6008, CVE-2020-6009, CVE-2020-6010 and CVE-2020-6011