A critical security vulnerability, designated as CVE-2024-10470, has been discovered in the WPLMS Learning Management System (LMS) theme for WordPress. This flaw allows unauthenticated attackers to read and delete arbitrary files on the server due to insufficient file path validation in specific functions, namely readfile and unlink. The vulnerability is present in all versions of the theme up to and including 4.962, and it carries a CVSS score of 9.8, indicating a critical level of severity.

Vulnerability Details

• Type: Path Traversal (CWE-22)
• Affected Versions: All versions <= 4.962
• Severity: Critical (CVSS 9.8)
• Impact: The vulnerability allows attackers to potentially delete important files such as wp-config.php, which can lead to unauthorized access and complete server control, including remote code execution (RCE).

Exploitation Mechanism

The vulnerability can be exploited without authentication, meaning attackers do not need valid credentials to execute their attacks. They can send crafted HTTP requests targeting specific parameters within the WPLMS theme, such as download_export_zip, to manipulate file handling functions and access sensitive files on the server.For example, a potential exploit could look like this:

POST /wp-content/themes/wplms/setup/installer/envato-setup-export.php HTTP/1.1 Host: [Target-IP] Content-Type: application/x-www-form-urlencoded download_export_zip=1&zip_file=.htaccess

This request could allow attackers to read or delete crucial configuration files, significantly compromising the security of the affected WordPress installations

Mitigation Measures

To address this vulnerability, users of the WPLMS theme are strongly advised to take the following actions:

• Update Immediately: Upgrade to version 4.963 or later, which includes patches for this vulnerability.
• Deactivate the Theme: If immediate updating is not possible, consider deactivating the WPLMS theme temporarily until a patch is applied.
• Implement Strong Access Controls: Ensure that sensitive files like wp-config.php have restricted permissions to prevent unauthorized access.
• Regular Backups: Maintain regular backups of your WordPress files and databases to facilitate recovery in case of an attack.
• Use Security Tools: Consider deploying a Web Application Firewall (WAF) and file integrity monitoring tools to detect and block malicious requests targeting this vulnerability

Conclusion

The discovery of CVE-2024-10470 poses a serious threat to thousands of websites utilizing the WPLMS theme. Administrators must act swiftly to secure their systems by updating their themes and implementing recommended security practices. Failure to do so could result in unauthorized access, data loss, or complete site compromise.