Experts Comments On Bugs In WordPress plugins LearnPress, LearnDash, And LifterLMS For Online Courses Let Students Cheat

Researchers disclosed critical-severity flaws in three popular WordPress plugins used widely by colleges and universities. It was discovered that the flaws could be used to steal personal information (including names, emails, usernames, passwords), modify payment schemes, change grades, forge certificates or access tests in advance. These plugins  LearnPressLearnDash, and LifterLMS are together have been installed on more than 130,000 school websites as part of their learning management systems, including the University of Florida, University of Michigan and University of Washington.

EXPERTS COMMENTS
Ameet Naik, Security Evangelist ,  PerimeterX
May 01, 2020
Staying up to date on versions helps but cannot guarantee the integrity of the third-party code.
WordPress plugins are a critical third-party risk in any web application and a frequent target for attackers. A single compromised plugin can infect tens of thousands of websites in one stroke, hence they remain a popular attack vector. XSS vulnerabilities that enable RCE attacks are particularly problematic since they give attackers potentially unlimited access to the application.
[Read More >>]
Tim Mackey, Principal Security Strategist,  Synopsys CyRC
May 01, 2020
The scope of these vulnerabilities demonstrate why procurement processes should include a security verification step.
LearnDash, LearnPress and LifterLMS are all examples of WordPress plugins designed to turn WordPress into a custom delivery platform – in this case for eLearning. Each of these follow a business model known as "open core" wherein key aspects of their business are open source, but their commercial offering differs from that available via open source channels.
[Read More >>]

