According to researchers, they have been identified vulnerabilities in WordPress plugins commonly used by e-learning platforms. Vulnerabilities concern important security issues.
H Check Point published a survey on three popular WordPress plugins, The LearnPress, LearnDash and LifterLMS, systems LMS widely used for educational purposes, especially at a time when distance education has become a daily occurrence for many users.
LMS (learning management systems) can be used to manage online courses (both free and paid), facilitate discussion among students, etc.
The LearnPress, developed by ThimPress, is a plugin for creating and publishing courses with more than 80.000 active installations. The LearnDash is another LMS plugin used by universities and Companies F (there are about 33.000 sites with this plugin). Finally, the LifterLMS is a plugin with over 10.000 installations.
Check Point looked at WordPress plugins and found that there are four vulnerabilities: CVE-2020-6008, CVE-2020-6009, CVE-2020-6010 and CVE-2020-6011, which can allow an attacker to acquire more privileges but also to run remote code (RCE).
"These vulnerabilities allow regular students but also unauthorized ones users "to obtain sensitive information or take control of LMS platforms," the team said.
According to Check Point, students or even remote, unauthorized intruders could exploit the gaps. security and move on hijacking e-learning platforms, theft of sensitive data, change of grades, forgery of certificates and possibly theft of money by LMS platforms that offer paid courses.
The analysis of WordPress plugins took place in March. The first vulnerability, CVE-2020-6010, affects its versions LearnPress from 18.104.22.168 onwards. it is about a SQL injection vulnerability.
The second vulnerability, CVE-2020-6011, also affects LearnPress. This error could be used to give the user the same privileges as a teacher.
"Both vulnerabilities we mentioned received the same treatment from the developer - the vulnerabilities were fixed with the new update," the researchers noted.
The same plugin was found with another errorThe CVE-2020-11511, discovered by the research team Wordfence on April 28. Version 22.214.171.124 and the following are affected by the error, which can be exploited and allow someone to get more privileges.
The LearnDash (version 3.1.6 and later) is vulnerable to vulnerability CVE-2020-6009, which can allow one SQL injection attack by an unauthorized user.
Vulnerability CVE-2020-6008 affects it LifterLMS (version 3.37.15 and later). This error can allow intruders to execute code remotely.
After the publication of the report Updates to WordPress plugins to address security issues. The users they need to make sure their plugins are up to date to keep them protected.
"Top educational institutions, as well as many online academies, rely on the systems we have researched in order to carry out their online courses and training programs," commented Check Point researcher Omri Herscovici.
"We urge the relevant educational institutions to upgrade all platforms to the latest versions ”.