Some of the “most widely-used” WordPress plugins that power online learning platforms contain serious security flaws, according to researchers at cybersecurity firm Check Point.
LearnPress, LearnDash and LifterLMS, which transform any WordPress website into a fully functioning and easy-to-use learning management system (LMS), all suffer from serious issues.
The vulnerabilities are numerous and all equally ominous, allowing for privilege escalation, SQL Injection, and remote code execution.
The flaws afford hackers the opportunity to steal personal information, transfer funds, change grades, forge certificates, uncover test answers in advance, and set themselves up with a teacher account.
According to Check Point researchers, the defective plugins are used by “top academic institutions and Fortune 500 companies,” including the University of Florida, University of Michigan, University of Washington, and are installed on approximately 100,000 different educational platforms.
The developers were notified of the vulnerabilities and all have released associated patches, which means updating the plugins should resolve the potential threat.