CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-56050

CVSS 9.9v3.1pub. 2024-12-18upd. 2026-04-23

Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS wplms_plugin allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from n/a through < 1.9.9.5.3.

🤖 AI Analysis
How it works

The WPLMS plugin does not properly verify the type or content of uploaded files (CWE-434: Unrestricted Upload of File with Dangerous Type). An attacker with only a subscriber account can upload a file containing executable code (e.g., a PHP file acting as a Web Shell) to the web server. After successful upload, the file can be executed by accessing it through a browser or HTTP request, giving the attacker remote access to the server.

Impact

An attacker can gain full control over the web server through arbitrary code execution (RCE), resulting in loss of confidentiality, integrity, and availability of all data and resources of the hosted system.

Mitigation & patch

The WPLMS plugin must be updated immediately to version 1.9.9.5.3 or later. Detailed information regarding the patch is available in the vendor's references and the Patchstack database.

Who is affected

WPLMS plugin (wplms_plugin) for WordPress in versions from unknown earlier versions to below 1.9.9.5.3

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Vibethemes WordPress Learning Management System

    APP
    Vibethemes
    < 1.9.9.5.3
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2024-56045CRITICAL9.3PL ✓ten sam produkt

Path Traversal w WPLMS — nieautoryzowane usuwanie katalogów

CVE-2024-56042CRITICAL9.3PL ✓ten sam produkt

SQL Injection w pluginie WPLMS dla WordPress (VibeThemes)

CVE-2024-56043CRITICAL9.8PL ✓ten sam produkt

WPLMS Plugin – nieuwierzytelniona eskalacja uprawnień (privilege escalation)

CVE-2024-56044CRITICAL9.8PL ✓ten sam produkt

Authentication Bypass w pluginie WPLMS dla WordPress (do wersji 1.9.9)

CVE-2024-56046CRITICAL10.0PL ✓ten sam produkt

Niekontrolowane przesyłanie plików w pluginie WPLMS — upload Web Shell