CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-56046

CVSS 10.0v3.1pub. 2024-12-31upd. 2026-04-23

Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS wplms_plugin allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from n/a through <= 1.9.9.

🤖 AI Analysis
How it works

WPLMS plugin in versions up to and including 1.9.9 does not sufficiently verify the type or content of uploaded files (CWE-434). An attacker without any authentication can upload an executable file to the server, such as a PHP Web Shell. Once such a file is placed on the server, it can be remotely invoked via HTTP and execute arbitrary system commands in the context of the web server process.

Impact

An attacker can gain full control over the web server by executing a Web Shell — this enables reading and modifying data, privilege escalation, lateral movement in the internal network, and complete takeover of the hosting environment.

Mitigation & patch

The WPLMS plugin must be immediately updated to a version higher than 1.9.9. Detailed information about available patches is available in the vendor's references and in the Patchstack database. Until the update is applied, it is recommended to temporarily disable the plugin and monitor the uploads directory for suspicious executable files.

Who is affected

WPLMS plugin (wplms_plugin) by VibeThemes for WordPress, versions from the beginning through 1.9.9 inclusive.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Vibethemes WordPress Learning Management System

    APP
    Vibethemes
    < 1.9.9.1
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2024-56045CRITICAL9.3PL ✓ten sam produkt

Path Traversal w WPLMS — nieautoryzowane usuwanie katalogów

CVE-2024-56042CRITICAL9.3PL ✓ten sam produkt

SQL Injection w pluginie WPLMS dla WordPress (VibeThemes)

CVE-2024-56043CRITICAL9.8PL ✓ten sam produkt

WPLMS Plugin – nieuwierzytelniona eskalacja uprawnień (privilege escalation)

CVE-2024-56044CRITICAL9.8PL ✓ten sam produkt

Authentication Bypass w pluginie WPLMS dla WordPress (do wersji 1.9.9)

CVE-2024-56050CRITICAL9.9PL ✓ten sam produkt

Nieograniczony upload plików w WPLMS — możliwość wgrania Web Shell