cbcvebase.
CVE-2020-6008
published 2020-03-31

CVE-2020-6008: LifterLMS Wordpress plugin version below 3.37.15 is vulnerable to arbitrary file write leading to remote code execution

PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
3.78%
88.6th percentile
LifterLMS Wordpress plugin version below 3.37.15 is vulnerable to arbitrary file write leading to remote code execution

Affected

1 ranges
VendorProductVersion rangeFixed in
lifterlmslifterlms< 3.37.153.37.15

Detection & IOCsextracted from sources · hover to see the quote

urlaction=export_admin_table
command&filename=../
pathLLMS_TMP_DIR
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS LifterLMS Arbitrary File Write Attempt Inbound (CVE-2020-6008)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"action=export_admin_table"; content:"&filename=../"; fast_pattern; reference:url,cpr-zero.checkpoint.com/vulns/cprid-2148/; reference:cve,2020-6008; classtype:attempted-admin; sid:2030644; rev:1; metadata:created_at 2020_08_04, cve CVE_2020_6008, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_08_04;)
  • Look for HTTP POST requests to WordPress AJAX endpoints containing 'action=export_admin_table' combined with a path traversal sequence '&filename=../' in the URI — this is the exact pattern used to exploit the arbitrary file write.
  • The vulnerability is triggered via an AJAX request that fails to validate the file extension during upload, allowing creation of PHP files in arbitrary locations. Monitor for PHP file creation in unexpected directories via the LifterLMS temp/export path.
  • A registered (student-level) user can embed malicious PHP code in their profile's 'first name' field; the code is written to a PHP file via the export handler. Alert on profile update requests followed by access to generated PHP files in the LifterLMS temp directory.
  • The exploit chain involves the 'generate_export_file' function in LLMS_Tables (specifically LLMS_Tables_Course_Students). Monitor for invocations of this handler with attacker-controlled 'filename' and 'courses id' parameters.
  • Check Point IPS signature 'WordPress LifterLMS Plugin Arbitrary File Write (CVE-2020-6008)' can be used for network-level detection.
  • ·The Snort/ET rule targets inbound traffic to $HTTP_SERVERS and $HOME_NET on any port; ensure these variables are correctly scoped to your WordPress server IPs to avoid false positives or missed detections.
  • ·Exploitation requires the attacker to be a registered (authenticated) user enrolled in at least one course — unauthenticated exploitation is not possible for CVE-2020-6008.
  • ·The vulnerability affects LifterLMS versions strictly below 3.37.15; versions 3.37.15 and above (including the recommended 3.38.0) are patched.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.