Security researchers have discovered a series of vulnerabilities in the WordPress Learning Management System (WPLMS), which allowed arbitrary code execution and malware installation on infected computers.
The WPLMS WordPress theme is a learning management system (LMS) for WordPress, mainly used by educational institutions and other companies aimed at training e-learning providers, as highlighted by Bleeping Computer.
Those responsible for the Patchstack security software have found a total of 18 vulnerabilities in two plugins for WPLMS, one of the same name and another called VibeBP, which allow attackers to execute different malicious actions.
For example, CVE-2024-56046 gives them the opportunity to upload malicious files without authentication, while CVE-2024-56050 allows them to authenticate with subscriber privileges, so they can upload files and bypass restrictions.
On the other hand, thanks to the flaw identified as CVE-2024-56042, they can inject malicious SQL programming language queries to extract sensitive data or compromise victims’ databases.
Researchers have noted that WPLMS users should update the theme to version 1.9.9.5.3 or newer, while VibeBP must be updated to version 1.9.9.7.7 or later.