The flaws in LearnPress, LearnDash and LifterLMS could have allowed unauthenticated students to change their grades, cheat on tests and gain teacher privileges.
Researchers have disclosed critical-severity flaws in three popular WordPress plugins used widely by colleges and universities: LearnPress, LearnDash and LifterLMS. The flaws, now patched, could allow students to steal personal information, change their grades, cheat on tests and more.
The vulnerable plugins have been installed on more than 130,000 school websites — including ones used the University of Florida, University of Michigan and University of Washington. Schools leverage these plugins as part of their learning management systems (LMS). LMS platforms, used to administer, track and organize coursework, are vital right now for schools quickly moving classrooms online during the coronavirus pandemic.
LearnPress is used on LMS platforms to create courses with quizzes and lessons for students, and has an install base of 80,000. LearnDash provides tools for selling online coursework, and is used by more than 33,000 websites. And, LifterLMS provides sample course and quizzes, and is used by more than 17,000 websites.
“We proved that hackers could easily take control of the entire e-learning platform. Top educational institutions, as well as many online academies, rely on the systems that we researched in order to run their entire online courses and training programs,” Omri Herscovici, Check Point vulnerability research team leader, said in a Thursday analysis. “The vulnerabilities found allow students, and sometimes even unauthenticated users, to gain sensitive information or take control of the LMS platforms. We urge the relevant educational establishment everywhere to update to the latest versions of all the platforms.”
The flaws range in seriousness and impact, but could allow third-party attackers to steal personal information (such as names, emails, usernames and passwords) or target the financial payment methods that are tied to the platforms. In addition, the flaws could have given students the ability to change the grades for themselves or their friends, retrieve tests before they are administered, escalate their privileges to those of a teacher and forge graduation certificates.
Threatpost has reached out to LearnPress, LearnDash and LifterLMS for further comment.
Researchers found the flaws in a span of two weeks during March. All vulnerabilities have since been reported to the plugins and patched.
A time-based blind SQL injection vulnerability (CVE-2020-6010) exists in versions 220.127.116.11 and earlier of LearnPress, which researchers said “is very trivial to identify and exploit.” Specifically, the flaw exists in the method _get_items of the class LP_Modal_Search_Items. The method fails to sufficiently sanitize user-supplied data before using it in an SQL query. This can be exploited by an authenticated attacker by merely specially crafted request to the /wp-admin/admin-ajax.php endpoint page.
Doing so would “allow students and even unauthenticated users to retrieve the entire content of the database and steal personal information just like in any other compromised platform that has registered users (names, emails, usernames, passwords, etc…),” Herscovici told Threatpost. “Getting the administrator hash and cracking it allows the attacker to get full control over the server.”
In another flaw in LearnPress (CVE-2020-11511), the function learn_press_accept_become_a_teacher doesn’t check the permissions of the requesting user – so anyone can call the function, whether they’re a teacher or not. The privilege-escalation flaw can be leveraged by a student to upgrade to a teacher role – giving themselves access to grades, tests and more.
In versions earlier than 3.1.6 of LearnDash, researchers found an unauthenticated second order SQL injection (CVE-2020-6009), stemming from the ld-groups.php file. The file failed to sanitize user-suppled data before using it in an SQL query. Similar to CVE-2020-6010, this flaw enables attackers to access the entire content of the database and steal personal information. The flaw ranks 9.8 out of 10 on the CVSS scale, making it critical in severity.
Finally, researchers found an arbitrary file-write flaw (CVE-2020-6008) in versions earlier than 3.37.15 of LifterLMS. The flaw exists due to the insufficient validation of files during file upload; remote attackers can leverage the flaw to execute code and effectively take over the learning platforms. This flaw ranks 9.8 out of 10 on the CVSS scale, making it critical severity.
“The SQL injection is very dangerous since it allows stealing the entire database of the website with all the information, including the admin’s hashed password,” Herscovici told Threatpost. “But the most dangerous one is the arbitrary file-write (CVE-2020-6008) which allows the attacker to upload any code of their own to the server, thus instantly achieving full remote code execution.”
The threat is not hypothetical: Previously uncovered malware campaigns have targeted the education industries, including one looking to compromise a Canadian medical research university. Other schools have been hit by Zoom-bombing attacks, where attackers hijack online classes using the Zoom platform to spew hateful messages or videos. And last week, researchers said several U.S. universities were targeted in a widespread spear-phishing attack that uses adult dating as a lure. In reality, the emails spread the Hupigon remote access trojan (RAT), known to be leveraged by state-sponsored threat actors.