Information

The export_admin_table function in the LLMS_AJAX_Handler class is vulnerable to File Write leading to RCE on the Wordpress server.
A registered student can send an Ajax request with ?action=export_admin_table, when combined with &handler=Course_Students,
would call LLMS_Table_Student_Course->generate_export_file (in the parent class).
The generate_export_file function opens a file handler to a path controlled by the user in the &filename variable in the Ajax Request.
The following request would create a file named c.php in the wordpress uploads folder:

POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
action=export_admin_table&lesson_id=485&quiz_id=487&_ajax_nonce=[Get from legitimate request]&post_id=254&handler=Course_Students&filename=../c.php&student=5&course_id=482

(The nonce can be copied from any other legitimate Ajax request)
The file created will contain all students registered to the course mentioned in &course_id=.
The student can see what courses he is listed to, change the course id to his,
and change his own first name in the profile page to be TEST<?php phpinfo(); /*.
This would create a file simiar to this one in the file system:

id,"Last Name","First Name",Email,Status,"Enrollment Updated",Completed,Progress,Grade
5,"student one","BBBBB<?php phpinfo(); /*",a@ab.com,Enrolled,"March 26, 2020","March 26, 2020",100%,50%

Since PHP is a forgiving language, simply browsing to the website: http://example.com/wordpress/wp-content/uploads/c.php,
would execute the PHP code written in the user’s first name - affectively achieving full code excution on the server.



References:
https://research.checkpoint.com/2020/e-learning-platforms-getting-schooled-multiple-vulnerabilities-in-wordpress-most-popular-learning-management-system-plugins