Article Details

Premium WPLMS WordPress plugins address seven critical flaws. Two WordPress plugins required by the premium WordPress WPLMS theme, which has over 28,000 sales, are vulnerable to more than a dozen critical severity vulnerabilities. The bugs could enable a remote, unauthenticated attacker to upload arbitrary files to the server, execute code, escalate privileges to administrator level, and perform SQL injections. The WPLMS theme is a learning management system (LMS) for WordPress, used primarily by educational institutions, corporations providing training, and e-learning providers. It also offers integration with WooCommerce for selling courses. Vulnerabilities in WPLMS theme Patchstack vulnerability researchers found a total of 18 security issues in the WPLMS and VibeBP plugins and present in a recent report 10 of the most significant ones. Here’s a summary of the flaws impacting the WPLMS theme: And for VibeBP: Users of WPLMS should upgrade to version 1.9.9.5.3 and newer, while VibeBP should be upgraded to 1.9.9.7.7 or later. As a general security advice, Patchstack suggests that websites enforce secure file uploads, SQL query sanitation, and role-based access controls. Patchstack found the vulnerabilities and on March 31 notified Vibe Themese, the developer of WPLMS, of the issues. Between April and November, the developer tested multiple patches until they were able to fix all the vulnerabilities. Vibe Themes collaborated with Patchstack to make sure that the delivered fix addresses all the bugs.