Critical flaws reported in WordPress WPLMS theme required plugins
Take action: If you are running WPLMS theme, update it ASAP. There are many critical flaws, and it's just a matter of time before you get attacked.
Learn More
Multiple critical vulnerabilities have been reported in the WPLMS theme and its required plugins (WPLMS and VibeBP), which are used by over 28,000 educational institutions and e-learning providers.
The most severe vulnerabilities include:
- CVE-2024-56046 (CVSS score 10.0) - Unauthenticated arbitrary file upload leading to RCE
- CVE-2024-56050 (CVSS score 9.9) - Authenticated file upload bypass for subscribers
- CVE-2024-56052 (CVSS score 9.9) - File upload bypass for student roles
- CVE-2024-56043 (CVSS score 9.8) - Unauthenticated administrator role registration
- CVE-2024-56048 (CVSS score 8.8) - Privilege escalation to administrator
- CVE-2024-56042 (CVSS score 9.3) - SQL injection for data extraction
- CVE-2024-56047 (CVSS score 8.5) - SQL query execution by low-privilege users
In VibeBP plugin:
- CVE-2024-56040 (CVSS score 9.8) - Unauthenticated privileged user registration
- CVE-2024-56039 (CVSS score 9.3) - Unauthenticated SQL injection
- CVE-2024-56041 (CVSS score 8.5) - Authenticated SQL injection
Patchstack reported these issues to Vibe Themes on March 31. After extensive testing between April and November, patches are now available in WPLMS version 1.9.9.5.3 and VibeBP version 1.9.9.7.7.
The number of affected installations is 28,000+, based on sales figures. No information about actual exploitations or financial impact has been publicly disclosed.
