Platform
wordpress
Component
wplms
Fixed in
4.962.1
CVE-2024-10470 describes a critical Arbitrary File Access vulnerability affecting the WPLMS Learning Management System for WordPress. This flaw allows unauthenticated attackers to read and delete files on the server, posing a significant risk of remote code execution. The vulnerability impacts versions of WPLMS up to and including 4.962, and even persists when the theme is not activated.
The primary impact of CVE-2024-10470 is the ability for an attacker to read and delete arbitrary files on a WordPress server. This is particularly concerning because deleting critical files like wp-config.php can lead to remote code execution. Successful exploitation allows an attacker to gain control of the web server, potentially leading to data breaches, website defacement, and further compromise of the underlying system. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of threat actors. The fact that the theme remains vulnerable even when inactive amplifies the risk, as it can be exploited regardless of the active theme.
CVE-2024-10470 was publicly disclosed on 2024-11-09. The vulnerability's ease of exploitation and potential for RCE suggest a medium to high probability of exploitation. Public proof-of-concept (PoC) code is likely to emerge, further increasing the risk. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting WPLMS installations.
Exploit Status
EPSS
49.00% (98% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-10470 is to upgrade WPLMS to a version that addresses the vulnerability. Unfortunately, a specific fixed version is not provided in the input. As a temporary workaround, restrict file permissions on the WPLMS directory to prevent unauthorized access and deletion. Implement a Web Application Firewall (WAF) with rules to block attempts to access or manipulate files outside of designated directories. Regularly monitor server logs for suspicious file access or deletion attempts. After upgrading, confirm the fix by attempting to access sensitive files via the vulnerable endpoint and verifying that access is denied.
Update the WPLMS theme to the latest available version. If no version is available that fixes the vulnerability, consider disabling the theme until an update is released.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-10470 is a critical vulnerability in WPLMS LMS for WordPress allowing unauthenticated attackers to read and delete files, potentially leading to remote code execution.
You are affected if you are using WPLMS LMS for WordPress versions up to and including 4.962. Upgrade immediately.
Upgrade WPLMS to a patched version. If a patch isn't available, restrict file permissions and implement a WAF as temporary mitigations.
While active exploitation is not confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation.
Refer to the WPLMS official website and WordPress security announcements for the latest advisory and patch information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.