Three popular WordPress plugins LearnPress, LearnDash, and LifterLMS hijacked – Critical vulnerabilities found

Amidst Covid-19 pandemic various organizations and universities are using learning management systems (LMS) to manage online courses, host student resources, issue and mark assignments, online registration, assessments, collaborative technologies, payment processing, and facilitate discussion between students through their WordPress-based websites. 

The three WordPress plugins in question are LearnPressLearnDash, and LifterLMS. The serious vulnerabilites discovered can be used in remote code execution attacks.On examination, Check Point found four vulnerabilities — CVE-2020-6008, CVE-2020-6009, CVE-2020-6010, and CVE-2020-6011 which range from privilege escalation to remote code execution (RCE). 

  • LearnPress plugin, with over 80,000 active installations is for creating and publishing courses. Vulnerability CVE-2020-6010, impacts LearnPress versions 3.2.6.7 and below. This vulnerability is an SQL injection flaw, another vulnerability- CVE-2020-6011, in the same plugin can be used to gain a teacher’s privileges without checking on account permissions.
  •  LearnDash plugin with around 33,000 websites is used by universities and Fortune 500 companies. LearnDash, versions 3.1.6 and below, suffers from a SQL injection flaw CVE-2020-6009 that allows hacker to create a malicious SQL query by using PayPal’s Instant Payment Notification (IPN) message service simulator to trigger fake course enrolment transactions.
  • LifterLMS plugin with at least 10,000 active installs is a course and membership website creation plugin. LifterLMS versions 3.37.15 and below arbitrary file write vulnerability CVE-2020-6008 is found which exploits the PHP and Ajax files and can be used by attackers to intercept requests to write PHP files without permission and remotely execute code. 

Check Point Research Team points out, the three WordPress plugins in question — LearnPressLearnDash, and LifterLMS  have security flaws that could permit students, as well as unauthenticated users, to pilfer personal information of registered users and even attain teacher privileges. The flaws allow attackers to steal, change and also forge personal information and certificates.
 The updated, patched versions have been released. Adcy.io recommends users to upgrade to the latest versions of these plugins to stay protected.