Security flaws in these learning management system plugins allowed students and hackers to change grades, siphon money and data.

As legions of students and employees learn and train from home during the global pandemic, vulnerabilities have been unearthed in the most widely-used plugins powering online learning for top academic institutions and Fortune 500 companies.

Security researchers from Check Point Research have found:

  • Security flaws in the three marquee WordPress plugins: LearnPress, LearnDash and LifterLMS.
  • These security flaws allow students, as well as unauthenticated users, to steal personal information, siphon money and attain teacher privileges.

Plugins are used by academic institutions and thousands of educational platforms worldwide relying on learning management systems (LMS) to conduct virtual classes without having students or employees come into a physical classroom.

What is a Learning Management System?

Think of an LMS as a vast repository where you can store and track educational information. Anyone with a login and password can access these online training resources whenever and wherever. The most common use for LMS software is to deploy and track online training initiatives.

Typically, assets are uploaded to the LMS, making them easily accessible for remote learners. As millions of people log-in to online courses from home because of the coronavirus lockdowns, academic institutions and employers use a LMS to create virtual classes, share coursework, enrol students, and evaluate students with quizzes.

Security Flaws in WordPress’ Plugins

The security flaws were found in LearnPress, LearnDash and LifterLMS. Any of these three plugins can transform any WordPress website into a fully functioning and easy-to-use LMS.

Each plugin is described further below:

  • LearnPress: Plugin that creates courses with quizzes and lessons as the students move through the curriculum. Used in over 21,000 schools and boasts 80,000 installations.
  • LearnDash: Plugin that provides tools for content dripping, selling courses, rewarding learners, and activating triggers based on actions. Over 33,000 websites use LearnDash.
  • LifterLMS: Plugin that provides sample courses, sample quizzes, certificates, and a fully configured website. Over 17,000 websites use this plugin, including WordPress agencies and educators, along with various school and educational establishments.

These vulnerabilities in these plugins enable students, as well as unauthenticated users to gain sensitive information and/or take control of the entire eLearning platform. Specifically, a person could leverage the security flaw to:

  • Steal personal information: names, emails, usernames and passwords
  • Funnel money from an LMS into their own bank accounts
  • Change grades for themselves
  • Change grades for peers
  • Forge certificates
  • Retrieve test answers
  • Escalate their privileges to that of a teacher

Coordinated disclosure

The vulnerabilities were found in a span of two weeks during the month of March 2020. Check Point researchers have responsibly disclosed each of the vulnerabilities in the respective platforms to the appropriate developers. As of the date of this publication, all three systems have patched the vulnerabilities, which were assigned CVE-2020-6008, CVE-2020-6009, CVE-2020-6010 and CVE-2020-6011.