Critical Security Alert: WPLMS WordPress Plugins Exposed to Remote Code Execution and Admin Takeover

Critical Security Alert: WPLMS WordPress Plugins Exposed to Remote Code Execution and Admin Takeover

Critical Vulnerabilities Discovered in Popular WordPress WPLMS Theme Plugins

Multiple critical security vulnerabilities have been identified in two essential plugins required by the WPLMS WordPress theme, a popular learning management system with over 28,000 sales. These security flaws pose significant risks to educational institutions, corporate training platforms, and e-learning providers using the theme.

Key Vulnerabilities in WPLMS Plugin:

1. Critical File Upload Flaw (CVE-2024-56046)
– Severity: CVSS 10.0
– Allows unauthorized file uploads and potential remote code execution

2. Authentication Bypass (CVE-2024-56043)
– Severity: CVSS 9.8
– Enables unauthorized administrator account creation

3. Privilege Escalation Issues
– Multiple vulnerabilities allowing low-privilege users to gain administrator access
– Affects both subscriber and student roles

4. SQL Injection Vulnerabilities
– Several flaws enabling database manipulation and data extraction
– Both authenticated and unauthenticated attack vectors

VibeBP Plugin Vulnerabilities:

1. Unauthorized Registration (CVE-2024-56040)
– Severity: CVSS 9.8
– Allows creation of privileged accounts without authentication

2. SQL Injection Flaws
– Multiple vulnerabilities enabling database compromise
– Affects both authenticated and unauthenticated users

Remediation:
– Update WPLMS to version 1.9.9.5.3 or newer
– Update VibeBP to version 1.9.9.7.7 or newer
– Implement secure file upload protocols
– Enhance SQL query sanitization
– Strengthen role-based access controls

The vulnerabilities were discovered by Patchstack and patched through collaboration with Vibe Themes between April and November.

Share This Article