Unauthenticated File Deletion Vulnerability in WPLMS LMS Theme for WordPress

CVE-2024-10470

Summary

The CVE-2024-10470 vulnerability in the WPLMS Learning Management System for WordPress, WordPress LMS theme for WordPress is a critical path traversal vulnerability that affects all versions up to and including 4.962. It allows unauthenticated attackers to delete arbitrary files on the server, potentially leading to remote code execution, even when the theme is not activated. There is no evidence of active exploitation by ransomware groups, but the potential impact includes unauthorized data access, site disruption, and potential full system compromise. Website administrators are advised to deactivate or remove the WPLMS theme, apply strong access controls, implement file integrity monitoring, back up installations regularly, use a web application firewall, monitor for updates, and consider isolating WordPress installations to mitigate potential exploitation. The vulnerability is resolved in version 4.963, so updating to this version will eliminate the risk.

News Articles

The Cyber Express

CVE-2024-10470

Critical WPLMS WordPress Theme Bug Puts Websites At Risk Of RCE

A newly discovered vulnerability in the WPLMS WordPress theme threatens websites with potential Remote Code Execution (RCE) due to a critical path traversal

3 months ago

Cyble

CVE-2024-10470

Path Traversal Vulnerability In WPLMS WordPress Theme Exposes Websites To RCE  - Cyble

A vulnerability in the WPLMS WordPress theme can put websites at risk of Remote Code Execution.

3 months ago

References