Authentication Bypass Using an Alternate Path or Channel vulnerability in VibeThemes WPLMS wplms_plugin allows Authentication Bypass.This issue affects WPLMS: from n/a through <= 1.9.9.
The vulnerability classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) involves the WPLMS plugin's authentication mechanism being bypassed through an alternative access path or channel. According to reference information, the flaw allows an unauthenticated attacker to generate tokens for any user in the system without possessing their login credentials. The attack is possible remotely, without user interaction, and requires no privileges.
An attacker can gain unauthorized access to user accounts on the e-learning platform, including potentially administrator accounts, which could lead to complete takeover of the WordPress site and compromise of data confidentiality, integrity, and availability.
The WPLMS plugin must be immediately updated to a version higher than 1.9.9. Detailed information about available patches can be found in the manufacturer's references and in the Patchstack database.
WPLMS plugin (wplms_plugin) by VibeThemes for WordPress in versions from n/a to 1.9.9 inclusive.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HVibethemes WordPress Learning Management System
APPVibethemes< 1.9.9.1
Related vulnerabilities
Niekontrolowane przesyłanie plików w pluginie WPLMS — upload Web Shell
SQL Injection w pluginie WPLMS dla WordPress (VibeThemes)
WPLMS Plugin – nieuwierzytelniona eskalacja uprawnień (privilege escalation)
Path Traversal w WPLMS — nieautoryzowane usuwanie katalogów
Nieograniczony upload plików w WPLMS — możliwość wgrania Web Shell