export_admin_table function in the
LLMS_AJAX_Handler class is vulnerable to File Write leading to RCE on the Wordpress server.
A registered student can send an Ajax request with
?action=export_admin_table, when combined with
LLMS_Table_Student_Course->generate_export_file (in the parent class).
generate_export_file function opens a file handler to a path controlled by the user in the
&filename variable in the Ajax Request.
The following request would create a file named
c.php in the wordpress
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 action=export_admin_table&lesson_id=485&quiz_id=487&_ajax_nonce=[Get from legitimate request]&post_id=254&handler=Course_Students&filename=../c.php&student=5&course_id=482
(The nonce can be copied from any other legitimate Ajax request)
The file created will contain all students registered to the course mentioned in
The student can see what courses he is listed to, change the course id to his,
and change his own first name in the profile page to be
TEST<?php phpinfo(); /*.
This would create a file simiar to this one in the file system:
id,"Last Name","First Name",Email,Status,"Enrollment Updated",Completed,Progress,Grade 5,"student one","BBBBB<?php phpinfo(); /*",firstname.lastname@example.org,Enrolled,"March 26, 2020","March 26, 2020",100%,50%
Since PHP is a forgiving language, simply browsing to the website: http://example.com/wordpress/wp-content/uploads/c.php,
would execute the PHP code written in the user’s first name - affectively achieving full code excution on the server.