Check Point has revealed vulnerabilities in the most widely used WordPress plugins behind some of the most widely used online learning platforms.
Researchers working for Check Point discovered the security flaws in the three widely used WordPress plugins – LearnPress, LearnDash and LifterLMS – which enable the WordPress website to be utilised as learning management systems (LMS).
LMS platforms are among the most popular resources being used by universities and colleges to support teaching during self-isolation.
The cybersecurity analysts estimate the affected plugins are installed in around 100,000 different educational platforms, including ones used by three large US universities.
The vulnerabilities included range from Privilege Escalation, SQL Injection and Remote Code Execution capability.
These faults could have been used to steal sensitive personal information, forge certificates, change grades and results, and even funnel money illegally.
Researchers discovered the vulnerabilities in a two-week period of observation during March 2020. Check Point disclosed each of the vulnerabilities in the respective platforms to the appropriate developers, whereupon the faults were patched.
IT teams running LMS platforms should check if they are using the affected plugins and update to the latest versions to close the vulnerabilities.
Details of the affected plugins are:
LearnPress: Plugin that creates courses with quizzes and lessons as the students move through the curriculum. It’s used in over 21,000 schools and boasts 80,000 installations.
LearnDash: Plugin that provides tools for content dripping, selling courses, rewarding learners, and activating triggers based on actions. Over 33,000 websites use LearnDash.
LifterLMS: Plugin that provides sample courses, sample quizzes, certificates and a fully configured website. Over 17,000 websites use this plugin, including WordPress agencies and educators, along with various school and educational establishments.