Multiple Vulnerabilities In WordPress’ Most Popular Learning Management System Plugins
The 3 leading WordPress LMS Plugins are: LearnPress, LearnDash, and LifterLMS. These platforms can transform any WordPress website into a fully functioning and easy to use LMS. The 3 systems are installed on more than 100,000 different educational platforms and include universities such as the University of Florida, University of Michigan, University of Washington as well as hundreds of online academies. The impact multiplies as it affects all of the students in all of these establishments.
Security researchers at Check Point analyzing the three WordPress plugins found bugs that are more or less trivial to exploit. They provide technical details in a report released today.
In total, they discovered four flaws that could be used to steal personal information (names, emails, usernames, passwords), modify payment schemes, change grades, forge certificates, get their hands on tests in advance, or become teachers. Some of the vulnerabilities could be exploited without authentication and achieve remote code execution, meaning that an external attacker could take over the LMS platform.
Versions of LearnPress 126.96.36.199 and earlier are vulnerable to a time-based blind SQL injection (CVE-2020-6010) that is trivial to leverage and could be avoided by properly sanitizing user input through prepared SQL statements.
Exploiting this problem allows authenticated users to query the system for administrator usernames and hashed passwords. Cracking the passwords depends on how strong they are.
Another glitch on the same platform, tracked as CVE-2020-6011, allows an attacker to assume the role of a teacher by escalating privileges on the system. This possible by taking advantage of legacy code still present in the product.
In LearnDash versions lower than 3.1.6, the researchers found an unauthenticated second-order SQL injection (CVE-2020-6009) that is more difficult to exploit but could also have been prevented through prepared statements.
Looking at LifterLMS, Check Point researchers Omri Herscovici and Sagi Tzadik found that versions lower than 3.37.15 suffer from an arbitrary file write (CVE-2020-6008).
An attacker could exploit this flaw by simply adding malicious PHP code to their first name. This could let them achieve code execution on the server via a planted webshell.
In the video below, you can see how the researchers were able to exploit the vulnerabilities they found in the three LMS plugins for WordPress:
Check Point has informed the developers of the three plugins of the discovered vulnerabilities and new versions have been released to fix the issues. Administrators of websites running these plugins are strongly advised to install the updates.