Overview
A critical path traversal vulnerability, CVE-2024-10470, has been identified in the WPLMS Learning Management System (LMS) theme for WordPress. This vulnerability enables unauthenticated attackers to read and delete arbitrary files on the server due to insufficient file path validation in the theme’s readfile and unlink functions.
The flaw affects all versions of WordPress up to and including 4.962 and carries a CVSS score of 9.8.
According to the bug description published on GitHub under the account moniker RandomRobbieBF, the flaw impacts WordPress sites running WPLMS even if the theme is not actively enabled. This likely puts thousands of LMS-driven websites at risk of unauthorized data access, site disruption, and potential full system compromise.
The CVE-2024-10740’s original finding is attributed to an independent researcher Friderika Baranyai, aka Foxyyy.
Vulnerability Details
- CVE: CVE-2024-10470
- Type: Path Traversal (CWE-22)
- Affected Theme: WPLMS Learning Management System for WordPress
- Affected Versions: <= 4.962
- Severity: Critical (CVSS 9.8)
- Impact: Confidentiality, Integrity, Availability
- Found By: Friderika Baranyai, aka Foxyyy
Exploitation Details
This vulnerability allows attackers to delete critical files, such as wp-config.php, without needing authentication. Deleting this file, which contains essential WordPress configuration settings, could enable attackers to gain remote control over the affected server, leading to potential code execution and full site compromise.
While there is no publicly available proof-of-concept (PoC) or evidence of active exploitation, the nature of this vulnerability means that attackers could send crafted requests to delete or read files arbitrarily.
For example, the download_export_zip parameter within certain WPLMS theme scripts can be exploited to read or delete sensitive server files, leading to significant security risks for affected WordPress installations.
A sample crafted request, as described on GitHub, which could exploit this vulnerability is as follows:
POST /wp-content/themes/wplms/setup/installer/envato-setup-export.php HTTP/1.1
Host: [Target-IP]
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
download_export_zip=1&zip_file=.htaccess
This request manipulates the zip_file parameter to target and potentially delete files like .htaccess, which could lead to server misconfiguration or unauthorized file access.
Mitigation and Recommendations
Website administrators are advised to take the following actions to address this bug:
- Deactivate and Remove the WPLMS Theme: If possible, temporarily deactivate the WPLMS theme until a patch is available. Remove it if it’s not essential to your website’s functionality.
- Apply Strong Access Controls: Restrict access to critical files, such as wp-config.php, and ensure that file permissions are strictly enforced to prevent unauthorized deletion or modification.
- Implement File Integrity Monitoring: Regularly monitor the integrity of critical WordPress files. Immediate alerts on file deletion or modifications can provide timely warnings of potential exploitation.
- Back Up WordPress Installations Regularly: Maintain regular backups of your website’s files and database to ensure rapid recovery in the event of an attack.
- Web Application Firewall (WAF): Use a WAF to filter potentially malicious requests. This can help prevent attackers from exploiting path traversal vulnerabilities.
- Monitor for Updates: Regularly check for updates from the WPLMS theme developer and apply any available patches as soon as they are released. The vulnerability is resolved in version 4.963, so updating to this version will eliminate the risk.
- Isolate WordPress Installations: For sites heavily dependent on the WPLMS theme, consider isolating the installation in a separate, highly controlled environment to reduce the risk of lateral movement if exploited.
Conclusion
The CVE-2024-10470 vulnerability in the WPLMS theme for WordPress represents a severe security threat to affected websites. By allowing unauthenticated file deletion, this flaw poses risks of unauthorized access, remote code execution, and potential full compromise of WordPress installations.
Administrators are urged to take immediate steps to secure their systems, including deactivating the theme if feasible, implementing access controls, and applying security patches as soon as they are available.
Following these recommendations, organizations can mitigate potential exploitation and protect their WordPress environments from unauthorized access and service disruption.
Source:
https://nvd.nist.gov/vuln/detail/CVE-2024-10470
https://github.com/RandomRobbieBF/CVE-2024-10470
https://themeforest.net/item/wplms-learning-management-system/6780226
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/wplms/wplms-learning-management-system-for-wordpress-4962-unauthenticated-arbitrary-file-read-and-deletion
https://www.wordfence.com/threat-intel/vulnerabilities/researchers/friderika-baranyai
