- Two WordPress plugins discovered to have 18 security vulnerabilities
- Most of these are considered critical as they allow RCE etc.
- Everything is now patched, so be sure to upgrade your plugins
two premiums WordPress plug-in More than a dozen vulnerabilities were discovered, some of which were considered critical.
That’s according to WordPress cybersecurity platform Patchstack, which website builder in late March 2024 and report to the developer. Since then, all bugs have been mitigated.
These bugs were discovered in the WPLMS and VibeBP plug-ins.
Update plugin
WordPress supports Learning Management Systems (LMS), a platform that allows users to create, manage, and sell online courses directly from their WordPress website. LMS plugins integrate educational features and functionality with WordPress, allowing teachers or organizations to teach courses, track learner progress, and engage students effectively.
WPLMS is one of the most popular LMS platforms built by a company called VibeThemes. Purchased over 28,000 times, it comes with features such as course creation and management, quizzes and assessments, membership and subscription support, and more.
VibeBP, on the other hand, is a WordPress plugin that integrates BuddyPress with WPLMS, enhancing its social learning capabilities. It allows users to build communities by providing user profiles, activity streams, private messaging, and notification options. It is also built by VibeThemes.
Patchstack said it found 18 vulnerabilities, most of which were critical.
They allow unauthenticated remote attackers to upload arbitrary files, execute code, escalate privileges, and perform SQL injections. In other words, they can exploit these bugs to take over websites, steal sensitive data, and more. One of the bugs – CVE-2024-56046 – even received a top score of 10/10 because it allows malicious actors to upload arbitrary files without authentication, potentially leading to Remote Code Execution (RCE).
A full list of vulnerabilities and affected versions can be found at this link.
WPLMS users should ensure that their platforms are upgraded to version 1.9.9.5.3 or higher and VibeBP to 1.9.9.7.7 or higher.
Patchstack says that as a rule of thumb, website owners should enforce secure file uploads, SQL query sanitization, and role-based access controls.
through Computer beeps