Introduction
The WPLMS WordPress theme and its essential VibeBP plugin have been found to contain several critical security vulnerabilities. These vulnerabilities pose significant risks to users [1], including unauthorized file uploads [1] [3], privilege escalation [1] [2] [3] [4], and SQL injection attacks [1] [2] [4].
Description
A series of critical security vulnerabilities have been identified in the WPLMS WordPress theme and its essential VibeBP plugin [3], which are integral components of the WPLMS LMS theme [1], boasting over 28,000 sales [1]. These vulnerabilities pose significant risks [1], including unauthorized file uploads [1] [3], privilege escalation [1] [2] [3] [4], and SQL injection attacks [1] [2] [4]. Notable vulnerabilities include CVE-2024-56046 [1] [2] [3] [4], a critical file upload flaw with a CVSS score of 10.0 that allows attackers to upload malicious files, potentially leading to remote code execution (RCE); CVE-2024-56043 [1] [2] [4], an authentication bypass vulnerability with a CVSS score of 9.8 that enables low-privilege users, such as subscribers and students [3], to escalate their privileges to that of an administrator [1], risking complete site takeover; and CVE-2024-56042 [1], which exposes sensitive database information through SQL injection attacks that can be executed by both authenticated and unauthenticated users. These vulnerabilities were discovered in various functionalities [1] [2] [4], including registration forms and REST API endpoints [1] [2] [4], with a total of 18 vulnerabilities reported [1], several of which were deemed critical.
To mitigate these risks [2], it is recommended to update WPLMS to version 1.9.9.5.3 or newer and VibeBP to version 1.9.9.7.7 or newer [3]. The updates incorporate stricter controls on file uploads [2], enhanced permission checks [1] [2] [4], role restrictions during registration [2] [4], and improved input sanitization to secure against SQL injection [2]. Users are strongly urged to apply these patches immediately to safeguard their sites [2]. These vulnerabilities were addressed through collaboration with Vibe Themes and discovered by Patchstack between April and November.
Conclusion
The identified vulnerabilities in the WPLMS theme and VibeBP plugin highlight the critical need for regular updates and security patches to protect against potential exploits. By updating to the recommended versions, users can significantly reduce the risk of unauthorized access and data breaches. Continuous collaboration between developers and security researchers is essential to ensure the ongoing security and integrity of web applications.
References
[1] https://islainformatica.com/athari-muhimu-zimepatikana-katika-plugins-za-wordpress-wplms-na-vibebp/
[2] https://osintcorp.net/critical-vulnerabilities-found-in-wordpress-plugins-wplms-and-vibebp/
[3] https://clickcontrol.com/website-security/critical-security-alert-wplms-wordpress-plugins-exposed-to-remote-code-execution-and-admin-takeover/
[4] https://www.infosecurity-magazine.com/news/flaws-wordpress-plugins-wplms/
