WordPress LMS Theme at Risk: Critical Vulnerabilities Threaten Thousands of Sites

Critical vulnerabilities have been discovered in the popular WordPress plugins WPLMS and VibeBP, which are integral components of the premium WPLMS LMS theme. This theme, widely used for creating online courses and managing educational content, has over 28,000 sales, underscoring the significant scope of the risk.

The vulnerabilities pose severe threats, including unauthorized file uploads, privilege escalation, and SQL injection attacks. Notably, CVE-2024-56046 allows attackers to upload malicious files and execute remote code, while the privilege escalation vulnerability (CVE-2024-56043) enables low-privileged users to gain administrative access, potentially resulting in complete site takeover. Additionally, SQL injection flaws, such as CVE-2024-56042, expose sensitive database information through crafted queries.

Researchers from PatchStack identified 18 vulnerabilities in the plugins, several of which were deemed critical. These issues affected functionalities related to registration forms and REST API endpoints.

The developers of the affected plugins have released updates addressing all identified flaws. The latest secure versions are WPLMS 1.9.9.5.3 and VibeBP 1.9.9.7.7. These updates enhance security by implementing stricter file upload checks, resolving privilege escalation vulnerabilities, and mitigating SQL injection risks. Additional safeguards include input sanitization and the use of prepared statements to prevent SQL injection attacks.

Users are strongly advised to update the plugins immediately to protect their websites from potential exploitation.

Meanwhile, PatchStack experts recommend developers adopt the following security measures to prevent similar vulnerabilities in the future:

• Restrict file uploads by validating file types and names.
• Use allowlists for roles during registration processes.
• Sanitize user inputs in SQL queries and employ prepared statements.