Premium WPLMS WordPress plugins address seven critical flaws

Share:

Two WordPress plugins required by the premium WordPress WPLMS theme, which has over 28,000 sales, are vulnerable to more than a dozen critical severity vulnerabilities.

The bugs could enable a remote, unauthenticated attacker to upload arbitrary files to the server, execute code, escalate privileges to administrator level, and perform SQL injections.

The WPLMS theme is a learning management system (LMS) for WordPress, used primarily by educational institutions, corporations providing training, and e-learning providers. It also offers integration with WooCommerce for selling courses.

Vulnerabilities in WPLMS theme

Patchstack vulnerability researchers found a total of 18 security issues in the WPLMS and VibeBP plugins and present in a recent report 10 of the most significant ones.

Here’s a summary of the flaws impacting the WPLMS theme:

  1. CVE-2024-56046 (CVSS 10.0): Allows attackers to upload malicious files without authentication, potentially leading to remote code execution (RCE).
  2. CVE-2024-56050 (CVSS 9.9): Authenticated users with subscriber privileges can upload files, bypassing restrictions.
  3. CVE-2024-56052 (CVSS 9.9): Similar to Subscriber+ but exploitable by users with student roles.
  4. CVE-2024-56043 (CVSS 9.8): Attackers can register as any role, including Administrator, without authentication.
  5. CVE-2024-56048 (CVSS 8.8): Low-privilege users can escalate to higher roles, such as Administrator, by exploiting weak role validation.
  6. CVE-2024-56042 (CVSS 9.3): Attackers can inject malicious SQL queries to extract sensitive data or compromise the database.
  7. CVE-2024-56047 (CVSS 8.5): Low-privilege users can execute SQL queries, potentially compromising data integrity or confidentiality.

And for VibeBP:

  1. CVE-2024-56040 (CVSS 9.8): Attackers can register as privileged users without authentication.
  2. CVE-2024-56039 (CVSS 9.3): SQL queries can be injected by unauthenticated users, exploiting poorly sanitized inputs.
  3. CVE-2024-56041 (CVSS 8.5): Authenticated users with minimal privileges can perform SQL injection to compromise or extract database information.

Users of WPLMS should upgrade to version 1.9.9.5.3 and newer, while VibeBP should be upgraded to 1.9.9.7.7 or later.

Source

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
10:08 am, Apr 3, 2025
weather icon 14°C
L: 13° | H: 15°
clear sky
Humidity: 64 %
Pressure: 1019 mb
Wind: 14 mph E
Wind Gust: 0 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 2%
Rain Chance: 0%
Visibility: 10 km
Sunrise: 6:30 am
Sunset: 7:36 pm
DailyHourly
Daily ForecastHourly Forecast
Today 10:00 pm
weather icon
13° | 15°°C 0 mm 0% 11 mph 72 % 1020 mb 0 mm/h
Tomorrow 10:00 pm
weather icon
10° | 18°°C 0 mm 0% 14 mph 86 % 1021 mb 0 mm/h
Sat Apr 05 10:00 pm
weather icon
7° | 17°°C 0 mm 0% 12 mph 73 % 1022 mb 0 mm/h
Sun Apr 06 10:00 pm
weather icon
7° | 14°°C 0 mm 0% 12 mph 81 % 1026 mb 0 mm/h
Mon Apr 07 10:00 pm
weather icon
6° | 14°°C 0 mm 0% 8 mph 74 % 1028 mb 0 mm/h
Today 1:00 pm
weather icon
15° | 17°°C 0 mm 0% 11 mph 60 % 1019 mb 0 mm/h
Today 4:00 pm
weather icon
17° | 18°°C 0 mm 0% 11 mph 57 % 1019 mb 0 mm/h
Today 7:00 pm
weather icon
15° | 15°°C 0 mm 0% 8 mph 63 % 1019 mb 0 mm/h
Today 10:00 pm
weather icon
12° | 12°°C 0 mm 0% 6 mph 72 % 1020 mb 0 mm/h
Tomorrow 1:00 am
weather icon
10° | 10°°C 0 mm 0% 4 mph 80 % 1021 mb 0 mm/h
Tomorrow 4:00 am
weather icon
11° | 11°°C 0 mm 0% 5 mph 84 % 1020 mb 0 mm/h
Tomorrow 7:00 am
weather icon
10° | 10°°C 0 mm 0% 5 mph 86 % 1020 mb 0 mm/h
Tomorrow 10:00 am
weather icon
15° | 15°°C 0 mm 0% 10 mph 57 % 1021 mb 0 mm/h
Name Price24H (%)
Bitcoin(BTC)
€77,261.61
-1.10%
Ethereum(ETH)
€1,681.55
-2.47%
Tether(USDT)
€0.92
0.00%
XRP(XRP)
€1.89
-2.74%
Solana(SOL)
€109.76
-5.12%
USDC(USDC)
€0.92
0.01%
Dogecoin(DOGE)
€0.152020
-3.34%
Shiba Inu(SHIB)
€0.000011
0.18%
Pepe(PEPE)
€0.000006
-1.67%
Scroll to Top