Critical Vulnerabilities Found in WordPress Plugins WPLMS and VibeBP

Written by

A series of critical vulnerabilities affecting the widely used WPLMS and VibeBP plugins for WordPress have been identified by security researchers.

These plugins are essential components of the WPLMS premium LMS theme, which counts over 28,000 sales. They are primarily used for creating online courses, managing students and selling educational content.

The vulnerabilities, now patched, posed significant risks, including unauthorized file uploads, privilege escalation and SQL injection attacks.

Critical Vulnerabilities Identified

Among the most severe flaws discovered by PatchStack were arbitrary file uploads, including CVE-2024-56046, allowing attackers to upload malicious files, potentially leading to remote code execution (RCE).

Privilege escalation vulnerabilities including CVE-2024-56043 enabled unauthenticated and low-privileged users to elevate their roles to administrator, risking complete site takeovers. SQL injection vulnerabilities were also uncovered, such as CVE-2024-56042, exposing sensitive database information through malicious queries.

The vulnerabilities were found in various functionalities, including registration forms and REST API endpoints. 

Researchers reported 18 vulnerabilities in total, with several deemed critical.

Read more on WordPress security: Security Flaws in WordPress Woffice Theme Prompts Urgent Update

Updates Released for WPLMS and VibeBP 

To address these issues, the developers have issued updates for WPLMS (version 1.9.9.5.3) and VibeBP (version 1.9.9.7.7). 

The developers addressed these vulnerabilities by introducing stricter controls and security checks.

For arbitrary file upload flaws, they limited uploadable file types, added permission checks and, in some cases, removed vulnerable code. Privilege escalation issues were mitigated by enforcing role restrictions during registration and implementing whitelists for permissible options. To counter SQL injection risks, they applied proper input escape and secured affected variables and code.

Users are urged to apply these patches immediately to protect their sites.

To prevent similar vulnerabilities, developers are encouraged to implement the following security measures:

  • Restrict file uploads by checking file names and types

  • Use role allowlists for registration processes and default roles

  • Escape all user inputs in SQL queries and favor prepared statements

What’s hot on Infosecurity Magazine?