Get all the latest news on coronavirus and more delivered daily to your inbox. Sign up here.
As students stay at home and turn to online learning because of the coronavirus pandemic, security landmines await them, says a new report.
A recent audit of Learning Management Systems by cybersecurity firm Check Point found “dangerous” security flaws in some of the more popular systems.
Some of the more popular systems use WordPress add-on software known generically as a plugin. “Despite the somewhat shady reputation of WordPress plugins, they are still heavily used and are an integral part of most WordPress websites,” Check Point said in the report released Thursday.
“This seems to be especially true in the case of Learning Management Systems, in which WordPress websites are the majority of the independent websites offering this service,” the report said.
Three of the most popular WordPress learning management plugins are LearnPress, LearnDash and LifterLMS, Check Point noted.
These plugins essentially turn any WordPress website into a fully functioning Learning Management System. They are installed on approximately 100,000 different educational platforms, including the University of Florida, University of Michigan, University of Washington as well as hundreds of online academies, Check Point explained.
Though all of the above plugin providers have security in place – and some have even have bug bounty programs – holes exist nonetheless.
“Students and employees logging into eLearning sites probably don’t know just how dangerous that can be,” Check Point Vulnerability Research Team Leader, Omri Herscovici, said in a statement sent to Fox News. “We proved that hackers could easily take control of the entire eLearning platform.”
Check Point said it communicated the findings to all three of the plugin providers then worked with them to issue patches.
“The whole process took about a month. The patches are only available in the latest software versions, so folks need to update [as soon as possible],” a Check Point spokesperson told Fox News.
The patches are necessary to thwart attackers.
“WordPress plugins are a critical third-party risk in any web application and a frequent target for attackers,” Ameet Naik, security evangelist at PerimeterX, told Fox News.
“A single compromised plugin can infect tens of thousands of websites in one stroke, hence they remain a popular attack vector,” Naik added.
LearnDash said it acted quickly. “A security issue related to how PayPal was used in our software was brought to our attention last month by Check Point Research,” a LearnDash spokesperson told Fox News.
“We fixed the issue the same day it was reported and pushed out an update to our users (LearnDash v3.1.6),” the spokesperson said, adding, “While we don't have any user reports of the vulnerability being exploited, the only way to fully ensure that the vulnerability cannot be exploited is to update to the latest version of LearnDash which includes the fix.”
Fox News has reached out to LearnPress, LifterLMS and WordPress for comment.
As of Friday morning, more than 3.27 million coronavirus cases have been diagnosed worldwide, more than 1 million of which are in the U.S., the most impacted country on the planet.