Critical WPLMS WordPress Theme Vulnerability Puts Websites at Risk of RCE Attacks

A newly discovered vulnerability in the WPLMS WordPress theme threatens websites with potential Remote Code Execution (RCE) due to a critical path traversal flaw.

CVE-2024-10470, a vulnerability in the WPLMS Learning Management System (LMS) theme for WordPress, allows attackers to read and delete arbitrary files on the server, regardless of theme activation status.

The flaw, assigned a 9.8 CVSS score, stems from inadequate file path validation in functions handling file reading and deletion. Notably, this vulnerability could affect thousands of LMS-driven websites, risking unauthorized data access and complete system compromise.

Vulnerability Details and Scope

This path traversal vulnerability, identified by researcher Friderika Baranyai (Foxyyy), impacts all WPLMS versions up to 4.962. While not requiring authentication, attackers exploit the flaw by targeting the theme’s file handling functions. Sites operating any WPLMS version below 4.963 are vulnerable, even if the theme is inactive, leaving critical WordPress installations exposed.

A crafted request, such as the one described by GitHub user RandomRobbieBF, demonstrates the exploit’s simplicity. Attackers can delete essential files like wp-config.php—a configuration file necessary for WordPress operation—potentially resulting in full server control.

Also read: Top 10 Most Common WordPress Vulnerabilities to Look Out For in 2024

Exploit Mechanism and Risks

An attacker could execute this vulnerability by sending crafted HTTP POST requests with the “download_export_zip” parameter, manipulating the server to delete or read critical files. For instance:

This request targets sensitive files like .htaccess, potentially destabilizing the server or granting unauthorized file access. Though there’s no proof of active exploitation yet, the vulnerability remains exploitable, underscoring its critical nature.

Mitigation Measures and Recommendations

Administrators using the WPLMS theme should take immediate action to secure their WordPress environments. Recommended steps include:

1. Deactivate and Remove WPLMS Theme: Temporarily disable and remove WPLMS until a patch is applied. If the theme is non-essential, permanent removal could prevent future exploits.
2. Strengthen Access Controls: Limit access to files like wp-config.php and enforce file permissions to prevent unauthorized modification or deletion.
3. Implement File Integrity Monitoring: Use tools to monitor and alert administrators of unauthorized file changes, enabling faster response to attacks.
4. Regular Backups: Back up WordPress files and databases to allow swift recovery if data is compromised.
5. Deploy a Web Application Firewall (WAF): Filter malicious requests to block potential path traversal exploits targeting WPLMS vulnerabilities.
6. Stay Updated: Regularly monitor for WPLMS updates, as version 4.963 resolves this vulnerability.

CVE-2024-10470 represents a serious threat for WPLMS users, allowing unauthenticated file deletion that risks data integrity and system control. Administrators should urgently secure their WordPress installations, apply any available patches, and enforce strong access controls. These steps will help mitigate the chances of unauthorized access and safeguard critical site functions.