Vulnerability Description
The WPLMS Learning Management System for WordPress, WordPress LMS theme for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation and permissions checks in the readfile and unlink functions in all versions up to, and including, 4.962. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The theme is vulnerable even when it is not activated.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vibethemes | Wordpress Learning Management System | < 4.963 |
Related Weaknesses (CWE)
References
- https://themeforest.net/item/wplms-learning-management-system/6780226Product
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1932c9b4-2fea-40f8-974Third Party Advisory
FAQ
What is CVE-2024-10470?
CVE-2024-10470 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The WPLMS Learning Management System for WordPress, WordPress LMS theme for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation and permissions checks ...
How severe is CVE-2024-10470?
CVE-2024-10470 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-10470?
Check the references section above for vendor advisories and patch information. Affected products include: Vibethemes Wordpress Learning Management System.