HQ/EMEAFind out how we can help your business
Several critical vulnerabilities have appeared in a couple of well-known WordPress plugins, WPLMS and VibeBP.
These plugins are crucial components of the WPLMS premium LMS theme, which has already sold at least 28,000 copies. Websites commonly use this plugin to create online courses, manage students, and sell educational materials.
Reports revealed that the recently fixed vulnerabilities offered substantial threats, such as unauthorised file uploads, privilege escalation, and SQL injection attacks.
One of the threats of the WPLMS and VibeBP critical vulnerabilities is the provision of remote code execution.
Investigations have revealed several security vulnerabilities in the WPLMS and VibeBP WordPress plugins. One bug, tracked by researchers as CVE-2024-56046, could enable an unauthorised individual to upload malicious files, potentially resulting in remote code execution (RCE).
Another flaw found in the plugins is a privilege escalation vulnerability, CVE-2024-56043. This weakness could enable unauthenticated and low-privileged users to elevate to admin roles, putting the site at risk of a complete takeover.
Additionally, the other confirmed bug is an SQL injection vulnerability tracked as CVE-2024-56042. This bug could expose sensitive database information via malicious queries. Researchers revealed that these vulnerabilities were discovered across various capabilities, including registration forms and REST API endpoints. As of now, the initial assessment has already identified at least 18 vulnerabilities.
On the other hand, the developers released updates to WPLMS (version 1.9.9.5.3) and VibeBP (version 1.9.9.7.7) to address these issues. The developers fixed these vulnerabilities by implementing more strict controls and security checks.
For arbitrary file upload issues, they restricted uploadable file types, featured permission checks, and eliminated vulnerable code. Furthermore, the privilege escalation concerns were addressed by imposing role constraints during registration and implementing whitelists of acceptable options.
Therefore, the developers used suitable input escape to mitigate SQL injection threats and protect the compromised variables and code. Users should adopt these updates as soon as possible to secure their websites.
Developers should implement security measures, such as restricting file uploads and adopting role-allow listing, to prevent potential exploits from such critical bugs.
