Two WordPress plugins required for the popular WPLMS learning management system (LMS) theme, used by educational and corporate organizations, were found to have 18 critical vulnerabilities. These flaws could allow remote attackers to upload malicious files, execute arbitrary code, escalate privileges, and perform SQL injection attacks.
Key vulnerabilities in the WPLMS and VibeBP plugins include: unauthorized file uploads (CVE-2024-56046, CVSS 10.0), privilege escalation by low-level users (CVE-2024-56048, CVSS 8.8), and SQL injections targeting poorly sanitized inputs (CVE-2024-56042, CVSS 9.3). The issues affect versions released before April 2024.
Patchstack researchers identified these flaws and worked with WPLMS developer Vibe Themes to resolve them. After months of testing, comprehensive fixes were implemented by November 2024.
Users are strongly advised to update WPLMS to version 1.9.9.5.3 and VibeBP to version 1.9.9.7.7 or later to protect against these exploits. Additional precautions include enforcing secure file upload policies, sanitizing SQL queries, and implementing strict role-based access controls.
Read more...