Researchers have revealed worrying security flaws in three leading WordPress plugins – LearnPress, LearnDash and LifterLMS – deployed by top academic institutions and Fortune 500 companies for delivering remote learning sessions.
According to Check Point Research, these plugins, which help convert a website to a full-fledged online Learning Management System, can be hit by serious vulnerabilities like Remote Code Execution and SQL Injection that can be used to steal personal data, make changes to the account privileges, siphon off money and more.
These flaws were discovered during a two-week timeframe in March and have been patched by the platforms once reported by the researchers.
LMS plugin vulnerability
Due to the coronavirus lockdown, most educational institutions have set up online classrooms to ensure studies are not impacted. While several organisations have opted for virtual classroom sessions via video-conferencing tools like Microsoft Teams or Zoom, many others use online learning platforms to conduct regular classes.
Top colleges and universities like the University of Florida, University of Michigan, University of Washington, are among 100,000 different educational institutes that use either of the three vulnerable plugins on their websites.
“We proved that hackers could easily take control of the entire eLearning platform. Top educational institutions, as well as many online academies, rely on the systems that we researched in order to run their entire online courses and training programs,” Check Point researcher Omri Herscovici said.
“The detected vulnerabilities allow students, and sometimes even unauthenticated users, to gain sensitive information or take control of the LMS platforms. We urge the relevant educational establishments everywhere to check if they are using these plugins and update to the latest versions of them,” he added.
It was revealed that virtually anyone could exploit the flaws found in these plugins allowing them to easily change their or their peers’ grades, forge certificates, retrieve test answers apart from stealing user data or transferring money to unauthorised accounts.
To ensure the security of accounts, experts have advised the institutes to use the updated versions of these plugins.