CVE-2023-6160

Name of the Vulnerable Software and Affected Versions LifterLMS – WordPress LMS Plugin for eLearning versions up to, and including, 7.4.2

Description The issue allows authenticated attackers with administrator or LMS manager access and above to read the contents of arbitrary CSV files on the server, which can contain sensitive information, as well as remove those files from the server. This is made possible through the maybe serve export function.

Recommendations For versions up to, and including, 7.4.2, consider disabling the maybe serve export function until a patch is available to prevent exploitation. Restrict access to sensitive CSV files to minimize the risk of information disclosure.