Critical vulnerabilities in WordPress plugins lead to e-learning platform hijacking

The most serious issues discovered can be used in remote code execution attacks.
Written by Charlie Osborne, Contributing Writer

Three WordPress vulnerabilities commonly used by e-learning and Fortune 500 were subject to severe security issues, researchers say. 

On Thursday, Check Point published research surrounding three popular WordPress plugins, LearnPress, LearnDash, and LifterLMS, learning management systems (LMS) widely used for educational purposes especially at a time when distance learning is being more widely adopted due to the coronavirus outbreak. 

LMS platforms can be used to manage online courses, both free and paid, as well as to host student resources, issue and mark assignments, and to facilitate discussion between students. 

LearnPress, developed by ThimPress, is a plugin for creating and publishing courses with over 80,000 active installations. LearnDash is another LMS course creation bolt-on used by universities and Fortune 500 companies -- roughly 33,000 websites in total -- and LifterLMS is a course and membership website creation plugin with at least 10,000 active installs. 

Check Point examined these plugins in-depth, finding four vulnerabilities -- CVE-2020-6008, CVE-2020-6009, CVE-2020-6010, and CVE-2020-11511 -- which ranged from privilege escalation to remote code execution (RCE). 

"These vulnerabilities allow regular students and sometimes even unauthenticated users to gain sensitive information or take control of the LMS platforms," the team said. 

It is possible, Check Point says, for students or remote, unauthenticated attackers to exploit the security flaws to hijack e-learning platforms, steal sensitive data, change grades, tamper with assignments, forge certificates, and potentially siphon money away from LMS platforms offering paid courses.

See also: This is how viewing a GIF in Microsoft Teams triggered account hijacking bug

The WordPress plugin analysis took place in March over the course of two weeks. The first vulnerability, CVE-2020-6010, impacts LearnPress versions and below. This vulnerability is an SQL injection flaw deemed "trivial" to exploit by the research team.

The second vulnerability, CVE-2020-11511, also impacts the same LMS plugin. This particular bug was caused by legacy code left in the system and could be used to give a user the same privileges as a teacher -- without checking on account permissions. 

"Both of the vulnerabilities we reported received the same treatment from the author -- the vulnerable functions were completely purged from the new patched version," the researchers noted. "A classic case of "the best code is no code at all.""

This vulnerability was also disclosed by the Wordfence security team on April 28. 

CNET: Coronavirus stimulus scams are here. How to identify these new online and text attacks

LearnDash, versions 3.1.6 and below, is susceptible to CVE-2020-6009, described as an unauthenticated second-order SQL injection issue. A function, learndash_get_course_groups, fails to sanitize user-supplied data fully, and can, therefore, be used to trigger an SQL injection attack by a user without authentication. 

CVE-2020-6008 is an arbitrary file-write vulnerability found in LifterLMS versions 3.37.15 and below. This security flaw exists in how PHP and Ajax files are handled, granting attackers the opportunity to intercept requests to write PHP files without permission and remotely execute code. 

The vendors were contacted with Check Point's findings and updated, patched versions have since been released. Users should make sure their plugins are up-to-date to stay protected. 

TechRepublic: One billion certificates later, Let's Encrypt's crazy dream to secure the web is coming true

"Top educational institutions, as well as many online academies, rely on the systems that we researched in order to run their entire online courses and training programs," commented Check Point vulnerability researcher Omri Herscovici. "We urge the relevant educational establishment[s] everywhere to update to the latest versions of all the platforms."

Earlier this month, a cross-site scripting (XSS) vulnerability was found in OneTone, a WordPress theme developed by Magee WP. The bug permitted attackers to inject malicious code into the settings area of the theme, allowing the creation of backdoor administrator accounts.

Update: CVE-2020-6011 was incorrectly mentioned and has been amended to CVE-2020-11511.

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards