CVE-2020-6008
published 2020-03-31CVE-2020-6008: LifterLMS Wordpress plugin version below 3.37.15 is vulnerable to arbitrary file write leading to remote code execution
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
3.78%
88.6th percentile
LifterLMS Wordpress plugin version below 3.37.15 is vulnerable to arbitrary file write leading to remote code execution
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lifterlms | lifterlms | < 3.37.15 | 3.37.15 |
Detection & IOCsextracted from sources · hover to see the quote
urlaction=export_admin_table
command&filename=../
pathLLMS_TMP_DIR
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS LifterLMS Arbitrary File Write Attempt Inbound (CVE-2020-6008)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"action=export_admin_table"; content:"&filename=../"; fast_pattern; reference:url,cpr-zero.checkpoint.com/vulns/cprid-2148/; reference:cve,2020-6008; classtype:attempted-admin; sid:2030644; rev:1; metadata:created_at 2020_08_04, cve CVE_2020_6008, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_08_04;)
- →Look for HTTP POST requests to WordPress AJAX endpoints containing 'action=export_admin_table' combined with a path traversal sequence '&filename=../' in the URI — this is the exact pattern used to exploit the arbitrary file write.
- →The vulnerability is triggered via an AJAX request that fails to validate the file extension during upload, allowing creation of PHP files in arbitrary locations. Monitor for PHP file creation in unexpected directories via the LifterLMS temp/export path. ↗
- →A registered (student-level) user can embed malicious PHP code in their profile's 'first name' field; the code is written to a PHP file via the export handler. Alert on profile update requests followed by access to generated PHP files in the LifterLMS temp directory. ↗
- →The exploit chain involves the 'generate_export_file' function in LLMS_Tables (specifically LLMS_Tables_Course_Students). Monitor for invocations of this handler with attacker-controlled 'filename' and 'courses id' parameters. ↗
- →Check Point IPS signature 'WordPress LifterLMS Plugin Arbitrary File Write (CVE-2020-6008)' can be used for network-level detection. ↗
- ·The Snort/ET rule targets inbound traffic to $HTTP_SERVERS and $HOME_NET on any port; ensure these variables are correctly scoped to your WordPress server IPs to avoid false positives or missed detections.
- ·Exploitation requires the attacker to be a registered (authenticated) user enrolled in at least one course — unauthenticated exploitation is not possible for CVE-2020-6008. ↗
- ·The vulnerability affects LifterLMS versions strictly below 3.37.15; versions 3.37.15 and above (including the recommended 3.38.0) are patched. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-63xj-xhvh-24pv: LifterLMS Wordpress plugin version below 3
ghsa_unreviewed·2022-05-24
CVE-2020-6008 [HIGH] GHSA-63xj-xhvh-24pv: LifterLMS Wordpress plugin version below 3
LifterLMS Wordpress plugin version below 3.37.15 is vulnerable to arbitrary file write leading to remote code execution
VulnCheck
lifterlms lifterlms Unrestricted Upload of File with Dangerous Type
vulncheck·2020·CVSS 9.8
CVE-2020-6008 [CRITICAL] lifterlms lifterlms Unrestricted Upload of File with Dangerous Type
lifterlms lifterlms Unrestricted Upload of File with Dangerous Type
LifterLMS Wordpress plugin version below 3.37.15 is vulnerable to arbitrary file write leading to remote code execution
Affected: lifterlms lifterlms
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/lifterlms/lifterlms-wordpress-plugin-33714-arbitrary-file-write
Suricata
ET WEB_SPECIFIC_APPS LifterLMS Arbitrary File Write Attempt Inbound (CVE-2020-6008)
suricata·2020-08-04·CVSS 9.8
CVE-2020-6008 [CRITICAL] ET WEB_SPECIFIC_APPS LifterLMS Arbitrary File Write Attempt Inbound (CVE-2020-6008)
ET WEB_SPECIFIC_APPS LifterLMS Arbitrary File Write Attempt Inbound (CVE-2020-6008)
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS LifterLMS Arbitrary File Write Attempt Inbound (CVE-2020-6008)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"action=export_admin_table"; content:"&filename=../"; fast_pattern; reference:url,cpr-zero.checkpoint.com/vulns/cprid-2148/; reference:cve,2020-6008; classtype:attempted-admin; sid:2030644; rev:1; metadata:created_at 2020_08_04, cve CVE_2020_6008, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_08_04;)
No public exploits indexed.
Checkpoint
4th May – Threat Intelligence Bulletin
blogs_checkpoint·2020-05-04
CVE-2020-6009 4th May – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 4th May – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 4th May 2020, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Check Point Research has discovered a targeted attack on a multinational conglomerate, where the company’s Mobile Device Manager (MDM) server has been compromised and used to install Cerberus banking Trojan on employees’ mobile devices centrally. This new variant of Cerberus has enhanced RAT capabilities and allows to exfilt
Tenable
WordPress E-Learning Plugin Vulnerabilities Range from Cheating to Remote Code Execution
blogs_tenable·2020-04-30
WordPress E-Learning Plugin Vulnerabilities Range from Cheating to Remote Code Execution
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
E-Learning Platforms Getting Schooled – Multiple Vulnerabilities in WordPress’ Most Popular Learning Management System Plugins
blogs_checkpoint·2020-04-29
CVE-2020-6008 E-Learning Platforms Getting Schooled – Multiple Vulnerabilities in WordPress’ Most Popular Learning Management System Plugins
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## E-Learning Platforms Getting Schooled – Multiple Vulnerabilities in WordPress’ Most Popular Learning Management System Plugins
Research by: Omri Herscovici and Sagi Tzadik
## Overview
Bugzilla
CVE-2020-11049 freerdp: out-of-bound read of client memory that is then passed on to the protocol parser
bugzilla·2020-05-14·CVSS 5.5
CVE-2020-11049 [MEDIUM] CVE-2020-11049 freerdp: out-of-bound read of client memory that is then passed on to the protocol parser
CVE-2020-11049 freerdp: out-of-bound read of client memory that is then passed on to the protocol parser
A vulnerability was found in FreeRDP after 1.1 and before 2.0.0, there is an out-of-bound read of client memory that is then passed on to the protocol parser. This has been patched in 2.0.0.
References:
https://github.com/FreeRDP/FreeRDP/issues/6008
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-wwh7-r2r8-xjpr
Upstream Commit:
https://github.com/FreeRDP/FreeRDP/commit/c367f65d42e0d2e1ca248998175180aa9c2eacd0
Discussion:
Created freerdp tracking bugs for this issue:
Affects: epel-all [bug 1835774]
Created freerdp1.2 tracking bugs for this issue:
Affects: fedora-all [bug 1835773]
---
This issue has been addressed in the following products:
Red Hat Enterprise Lin
2020-03-31
Published
Exploited in the wild