Security researchers are sounding the alarm over newly discovered vulnerabilities in some popular online learning management system (LMS) plugins that various organizations and universities use to offer online training courses through their WordPress-based websites.
According to the Check Point Research Team, the three WordPress plugins in question — LearnPress, LearnDash, and LifterLMS — have security flaws that could permit students, as well as unauthenticated users, to pilfer personal information of registered users and even attain teacher privileges.
“Because of coronavirus, we’re doing everything from our homes, including our formal learning,” Check Point Research’s Omri Herscovici said. “The vulnerabilities found allow students, and sometimes even unauthenticated users, to gain sensitive information or take control of the LMS platforms.”
The three LMS systems are installed on approximately 100,000 different educational platforms, including major universities such as the University of Florida, the University of Michigan, and the University of Washington, among others.
LearnPress and LifterLMS alone have been downloaded over 1.6 million times since their launch.