CVE-2024-10470

Name of the Vulnerable Software and Affected Versions WPLMS Learning Management System for WordPress versions prior to 4.963

Description The WPLMS Learning Management System for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation and permissions checks in the readfile and unlink functions. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted, such as wp-config.php. The theme is vulnerable even when it is not activated. Over 28,000 sites are potentially exposed to this vulnerability.

Recommendations Update to version 4.963 to avoid full site hijacks, data loss, and downtime. As a temporary workaround, consider restricting access to sensitive files and directories to minimize the risk of exploitation. Ensure your system is updated to the latest version to protect against potential exploits.