Multiple critical security vulnerabilities have been identified in two essential plugins required by the WPLMS WordPress theme, a popular learning management system with over 28,000 sales. These security flaws pose significant risks to educational institutions, corporate training platforms, and e-learning providers using the theme.
Key Vulnerabilities in WPLMS Plugin:
1. Critical File Upload Flaw (CVE-2024-56046)
– Severity: CVSS 10.0
– Allows unauthorized file uploads and potential remote code execution
2. Authentication Bypass (CVE-2024-56043)
– Severity: CVSS 9.8
– Enables unauthorized administrator account creation
3. Privilege Escalation Issues
– Multiple vulnerabilities allowing low-privilege users to gain administrator access
– Affects both subscriber and student roles
4. SQL Injection Vulnerabilities
– Several flaws enabling database manipulation and data extraction
– Both authenticated and unauthenticated attack vectors
VibeBP Plugin Vulnerabilities:
1. Unauthorized Registration (CVE-2024-56040)
– Severity: CVSS 9.8
– Allows creation of privileged accounts without authentication
2. SQL Injection Flaws
– Multiple vulnerabilities enabling database compromise
– Affects both authenticated and unauthenticated users
Remediation:
– Update WPLMS to version 1.9.9.5.3 or newer
– Update VibeBP to version 1.9.9.7.7 or newer
– Implement secure file upload protocols
– Enhance SQL query sanitization
– Strengthen role-based access controls
The vulnerabilities were discovered by Patchstack and patched through collaboration with Vibe Themes between April and November.