We are committed to ensuring the security and integrity of your data. As part of our continuous efforts to enhance our platform’s safety, we have identified and addressed a security vulnerability that may affect a subset of our users.
Summary of the Issue:
A vulnerability was discovered where plain-text passwords were inadvertently stored in the WordPress user meta data under the key password_confirm. This issue occurred only for users who have edited the “Password” reusable block, which is used in the Billing, Registration, and Edit Account Information forms by default.
Who Is Affected:
- Affected: Users who have customized the LifterLMS “Password” block by using the “Detach” feature or editing the original reusable block.
- Not Affected: Users who have not modified the default “Password” block.
Actions Required
1. Update Your LifterLMS Version
We have released an update that addresses this vulnerability by:
- Removing the password_confirm user meta data from your database.
- Preventing the plain-text password from being stored in the future.
What You Need to Do:
- Update Your Version of the LifterLMS Core Plugin: Navigate to your WordPress dashboard and update LifterLMS to the latest version.
2. Reset User Passwords
While the update removes the stored plain-text passwords, any existing backups may still contain this sensitive information. Create a fresh backup and remove your old backups for maximum secuirty.
What You Can Also Do:
- Notify Your Users: Inform all registered users about the issue and recommend that they change their passwords as a precaution.
- Force Password Reset (Optional): Consider enforcing a password reset for all users. This can often be done via security plugins or custom scripts.
3. Secure or Delete Old Backups
Backups made prior to this update may contain the plain-text passwords stored in the password_confirm user meta.
What You Need to Do:
- Identify Affected Backups: Locate all database backups made before installing the update.
- Secure Storage: Ensure that these backups are stored securely with restricted access.
- Delete if Necessary: If possible, delete the old backups to eliminate the risk of unauthorized access to plain-text passwords.
Best Practices Moving Forward
- Educate Users on Strong Passwords: Encourage users to create strong, unique passwords and consider using password managers.
- Enable Two-Factor Authentication (2FA): Adding an extra layer of security can significantly reduce the risk of unauthorized access.
- Regular Security Audits: Periodically review your site’s security settings and keep all plugins and themes up to date.
- Monitor for Suspicious Activity: Use security plugins to monitor login attempts and other potential security threats.
- Keep LifterLMS Software Up To Date: Keep the LifterLMS core software, plugins, and themes up to date,
We’re Here to Help
We understand the seriousness of softwware security updates and are here to support you through this process.
- Support Resources: Visit our support page at https://lifterlms.com/docs/ for detailed guides and assistance.
- Contact Us: If you have any questions or need personalized support, please contact our support team.
Our Commitment to You
Your security is our top priority. We apologize for any inconvenience this may cause and appreciate your prompt attention to this matter. Thank you for your understanding and for being a valued member of the LifterLMS community.
Key Takeaways
- Immediate Action Recommended: Update your version of LifterLMS and reset user passwords.
- Affected Users: Those who customized the LifterLMS “Password” block by detaching or editing the reusable block.
- Protect Your Data: Secure or delete old backups containing sensitive information.
Please take these steps as soon as possible to ensure the continued security of your site and user data. Contact the LifterLMS support team with any questions.
LifterLMS is constantly releasing new features, updates, and security upgrades. It’s important to keep your software up to date.
