Three WordPress vulnerabilities commonly used by e-learning and Fortune 500 were subject to severe security issues, researchers say.
On Thursday, Check Point published research surrounding three popular WordPress plugins, LearnPress, LearnDash, and LifterLMS, learning management systems (LMS) widely used for educational purposes especially at a time when distance learning is being more widely adopted due to the coronavirus outbreak.
LMS platforms can be used to manage online courses, both free and paid, as well as to host student resources, issue and mark assignments, and to facilitate discussion between students.
LearnPress, developed by ThimPress, is a plugin for creating and publishing courses with over 80,000 active installations. LearnDash is another LMS course creation bolt-on used by universities and Fortune 500 companies -- roughly 33,000 websites in total -- and LifterLMS is a course and membership website creation plugin with at least 10,000 active installs.
Check Point examined these plugins in-depth, finding four vulnerabilities -- CVE-2020-6008, CVE-2020-6009, CVE-2020-6010, and CVE-2020-11511 -- which ranged from privilege escalation to remote code execution (RCE).
"These vulnerabilities allow regular students and sometimes even unauthenticated users to gain sensitive information or take control of the LMS platforms," the team said.
It is possible, Check Point says, for students or remote, unauthenticated attackers to exploit the security flaws to hijack e-learning platforms, steal sensitive data, change grades, tamper with assignments, forge certificates, and potentially siphon money away from LMS platforms offering paid courses.
The WordPress plugin analysis took place in March over the course of two weeks. The first vulnerability, CVE-2020-6010, impacts LearnPress versions 188.8.131.52 and below. This vulnerability is an SQL injection flaw deemed "trivial" to exploit by the research team.
The second vulnerability, CVE-2020-11511, also impacts the same LMS plugin. This particular bug was caused by legacy code left in the system and could be used to give a user the same privileges as a teacher -- without checking on account permissions.
"Both of the vulnerabilities we reported received the same treatment from the author -- the vulnerable functions were completely purged from the new patched version," the researchers noted. "A classic case of "the best code is no code at all.""
This vulnerability was also disclosed by the Wordfence security team on April 28.
LearnDash, versions 3.1.6 and below, is susceptible to CVE-2020-6009, described as an unauthenticated second-order SQL injection issue. A function, learndash_get_course_groups, fails to sanitize user-supplied data fully, and can, therefore, be used to trigger an SQL injection attack by a user without authentication.
CVE-2020-6008 is an arbitrary file-write vulnerability found in LifterLMS versions 3.37.15 and below. This security flaw exists in how PHP and Ajax files are handled, granting attackers the opportunity to intercept requests to write PHP files without permission and remotely execute code.
The vendors were contacted with Check Point's findings and updated, patched versions have since been released. Users should make sure their plugins are up-to-date to stay protected.
"Top educational institutions, as well as many online academies, rely on the systems that we researched in order to run their entire online courses and training programs," commented Check Point vulnerability researcher Omri Herscovici. "We urge the relevant educational establishment[s] everywhere to update to the latest versions of all the platforms."
Earlier this month, a cross-site scripting (XSS) vulnerability was found in OneTone, a WordPress theme developed by Magee WP. The bug permitted attackers to inject malicious code into the settings area of the theme, allowing the creation of backdoor administrator accounts.
Update: CVE-2020-6011 was incorrectly mentioned and has been amended to CVE-2020-11511.
Previous and related coverage
- WordPress plugin vulnerability can be exploited for total website takeover
- Bug in WordPress plugin can let hackers wipe up to 200,000 sites
- Hackers are creating backdoor accounts and cookie files on WordPress sites running OneTone
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0