The COVID-19 pandemic has changed the way we live and work. “Sheltering in place” requires many people to work from home, thereby necessitating the use of virtual environments. The pandemic has also affected students globally, who are now at home learning via virtual classrooms online. This, in turn, has required many educational establishments to quickly integrate new Learning Management Systems into their platforms.
Learning Management Systems are E-Learning platforms used for delivering educational courses and training programs remotely. Not only university students use LMS; it’s for anyone interested in online learning.
In light of the increasing popularity of these platforms, we decided to audit the security of a few of them. Despite the somewhat shady reputation of WordPress plugins, they are still heavily used and are an integral part of most WordPress websites. This seems to be especially true in the case of Learning Management Systems, in which WordPress websites are the majority of the independent websites offering this service.
The 3 leading WordPress LMS Plugins are: LearnPress, LearnDash, and LifterLMS. These platforms can transform any WordPress website into a fully functioning and easy to use LMS. The 3 systems are installed on more than 100,000 different educational platforms and include universities such as the University of Florida, University of Michigan, University of Washington as well as hundreds of online academies. The impact multiplies as it affects all of the students in all of these establishments.
We focused only on these 3 systems since they seemed to the most impactful in this category. The LMS we researched invested quite a lot of effort in their security and some even implemented a bug bounty program. And indeed, the bugs we found were not trivial and required reaching interesting sinks. Therefore, in addition to notifying the developers, we also decided to share some of them with the security community.
Our approach was to see if a motivated student can accomplish the childhood dream of every hacker – take control of his educational institution, get test answers and even change students’ grades. As we assume some of our readers might not be familiar with web application exploitation, we sorted the bugs in an increasing level of complexity, to make things easier to follow.
Read the full technical Report at CPR Blog: