CyberSecurity updates
Updated: 2024-11-22 18:15:09 Pacfic

wordfence.com
WPLMS WordPress Theme Vulnerability Exposes Websites to RCE Attacks - 10d

A critical vulnerability, CVE-2024-10470, has been discovered in the WPLMS WordPress theme, putting thousands of LMS-driven websites at risk of Remote Code Execution (RCE) attacks. This vulnerability arises from a path traversal flaw, allowing attackers to read and delete arbitrary files on the server, even without authentication. The vulnerability affects all versions of WPLMS up to 4.962, and attackers could exploit it by sending crafted HTTP POST requests to delete essential files like wp-config.php, potentially leading to complete system compromise. Administrators using the WPLMS theme are advised to take immediate action to secure their WordPress environments. This includes deactivating and removing the WPLMS theme, strengthening access controls, implementing file integrity monitoring, taking regular backups, deploying a Web Application Firewall (WAF), and staying updated with the latest WPLMS patches. These steps are crucial for mitigating the risk of unauthorized access and safeguarding critical site functions.


This site is an experimental news aggregator using feeds I personally follow. You can reach me at Bluesky if you have feedback or comments.