Two WordPress plugins integral to the premium WPLMS theme, a popular Learning Management System (LMS) solution with over 28,000 sales, have been found to contain over a dozen critical vulnerabilities.

These flaws could allow remote, unauthenticated attackers to upload malicious files, execute code, escalate privileges, and inject malicious SQL commands.

The WPLMS theme, widely used by educational institutions, corporations, and e-learning platforms, relies on the WPLMS and VibeBP plugins. Security researchers at Patchstack identified 18 security flaws, with 10 posing severe threats.


Vulnerabilities in WPLMS:

  1. CVE-2024-56046 (CVSS 10.0): Allows unauthenticated attackers to upload malicious files, potentially leading to remote code execution (RCE).
  2. CVE-2024-56050 (CVSS 9.9): Permits authenticated users with subscriber privileges to bypass restrictions and upload files.
  3. CVE-2024-56052 (CVSS 9.9): Similar to CVE-2024-56050 but affects users with student roles.
  4. CVE-2024-56043 (CVSS 9.8): Enables attackers to register as any role, including Administrator, without authentication.
  5. CVE-2024-56048 (CVSS 8.8): Low-privilege users can escalate their roles to Administrator by exploiting weak validation mechanisms.
  6. CVE-2024-56042 (CVSS 9.3): Allows attackers to inject malicious SQL queries, compromising sensitive data.
  7. CVE-2024-56047 (CVSS 8.5): Low-privilege users can execute SQL queries, jeopardizing data integrity and confidentiality.

Vulnerabilities in VibeBP:

  1. CVE-2024-56040 (CVSS 9.8): Unauthenticated attackers can register as privileged users.
  2. CVE-2024-56039 (CVSS 9.3): Exploits unsanitized inputs to inject SQL queries, enabling attackers to access or manipulate database information.
  3. CVE-2024-56041 (CVSS 8.5): Authenticated users with minimal privileges can use SQL injection to compromise databases.
READ
North Korean Hackers Upload Android Spyware to Google Play Store

Developer’s Response and Fix

Patchstack disclosed these vulnerabilities to Vibe Themes, the WPLMS developer, on March 31, 2024. Over several months, Vibe Themes collaborated with Patchstack to test and release patches, ensuring that all security flaws were resolved.

Users are advised to upgrade to the latest secure versions:

  • WPLMS: Version 1.9.9.5.3 or later
  • VibeBP: Version 1.9.9.7.7 or later