CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-56043

CVSS 9.8v3.1pub. 2024-12-31upd. 2026-04-23

Incorrect Privilege Assignment vulnerability in VibeThemes WPLMS wplms_plugin allows Privilege Escalation.This issue affects WPLMS: from n/a through <= 1.9.9.

🤖 AI Analysis
How it works

The vulnerability results from an error in the permissions assignment mechanism (CWE-266) in the WPLMS plugin. An attacker without any authentication (PR:N, UI:N) can exploit the flaw over the network (AV:N) and obtain a higher privilege level than entitled. Low attack complexity (AC:L) means the exploit does not require any special conditions to be met on the victim's side or infrastructure.

Impact

An unauthenticated attacker can obtain elevated privileges within the WordPress site, which in practice can lead to complete takeover of the service, including reading, modifying, and deleting data.

Mitigation & patch

The WPLMS plugin should be immediately updated to a version higher than 1.9.9. Detailed information about the available patch is available in the Patchstack database and from the vendor. Until the update is applied, it is recommended to consider disabling the plugin on affected installations.

Who is affected

VibeThemes WPLMS plugin (wplms_plugin) for WordPress in versions from the beginning through 1.9.9 inclusive.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Vibethemes WordPress Learning Management System

    APP
    Vibethemes
    < 1.9.9.1
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
LPE
CWE
References

Related vulnerabilities

CVE-2024-56046CRITICAL10.0PL ✓ten sam produkt

Niekontrolowane przesyłanie plików w pluginie WPLMS — upload Web Shell

CVE-2024-56042CRITICAL9.3PL ✓ten sam produkt

SQL Injection w pluginie WPLMS dla WordPress (VibeThemes)

CVE-2024-56044CRITICAL9.8PL ✓ten sam produkt

Authentication Bypass w pluginie WPLMS dla WordPress (do wersji 1.9.9)

CVE-2024-56045CRITICAL9.3PL ✓ten sam produkt

Path Traversal w WPLMS — nieautoryzowane usuwanie katalogów

CVE-2024-56050CRITICAL9.9PL ✓ten sam produkt

Nieograniczony upload plików w WPLMS — możliwość wgrania Web Shell