CATEGORIES
home News

Researchers Discover Multiple WordPress Security Exploits In Popular E-Learning Platforms

by Shane McGlaunFriday, May 01, 2020, 03:00 PM EDT
e learning cracked

As the coronavirus pandemic continues around the world, everyone's lives have changed. The way we work and learn is significantly different now than it was only a few months ago as people shelter in place, and offices and schools around the globe have been forced to move to a distance model. Teaching from home has forced educational institutions everywhere to quickly move to online learning and to implement new systems to support the shift. Security researchers at Check Point Research decided to audit the security of several of the most popular Learning Management Systems (LMS) that are being used to deliver remote education for people of all ages.

The researchers say that most independent websites offering Learning Management Systems rely on WordPress, with three of the leading LMS plug-ins being LearnPress, LearnDash, and LifterLMS. Those three systems are installed on more than 100,000 different educational platforms such as the University of Florida, the University of Michigan, and the University of Washington. The team says that it wanted to see if a motivated student could take control of the educational institution's systems, get test answers, or change student grades.

In LearnPress, which is the second most popular LMS on the internet, the team did find a time-based blind SQL injection vulnerability, which they say is very trivial to identify and exploit. The teams says they were surprised to find this particular exploit, and while it is easy to spot, the vulnerability should not be underestimated as it has an impact on the system integrity that can result in the platform's takeover. A vulnerability that allowed a knowledgeable hacker to escalate privileges to become a teacher was discovered, but that was purged after a recent update.

LearnDash was also found to be vulnerable to a second-order SQL injection. The team says that crafting a specific SQL query could allow them to insert a malicious record into the system. LifterLMS was found to have a flaw that could allow a hacker to execute PHP code written in the user's first name field, effectively achieving code execution on the server. That could allow the user to steal personal information and allow the student to change grades, forge certificates, and escalate privileges to those of a teacher.

The security researchers say that they found a total of four vulnerabilities that allow students and sometimes even unauthenticated users to access sensitive information, steal personal records, and even take control of the LMS platforms. Anyone using these three LMS systems is urged upgrade to the latest versions that eliminate these security issues.

In other security news, Apple recently confirmed that the iPhone mail app had a zero-day security exploit that could have exposed the private data of millions of people.

Tags:  security, Research, WordPress, check-point
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment