A security researcher, Friderika Baranyai, has discovered a critical path traversal bug in the WPLMS WordPress theme that leaves websites , allows attackers to read and delete arbitrary files on the server with potential Remote Code Execution.
The vulnerability tracked as CVE-2024-10470 with a CVSS score of 9.8 stems from inadequate file path validation in functions handling file reading and deletion. This vulnerability could affect thousands of LMS-driven websites, risking unauthorized data access and complete system compromise.
The vulnerability impacts all WPLMS versions up to 4.962. While not requiring authentication, attackers exploit the flaw by targeting the theme’s file handling functions. Even if the theme is inactive.
A crafted request, such as the one described by GitHub user RandomRobbieBF. Attackers can delete essential files like wp-config.php—a configuration file necessary for WordPress operation—potentially resulting in full server control.
An attacker could execute this vulnerability by sending crafted HTTP POST requests with the “download_export_zip” parameter, manipulating the server to delete or read critical files. For instance:
POST /wp-content/themes/wplms/setup/installer/envato-setup-export.php HTTP/1.1
Host: [Target-IP]
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
download_export_zip=1&zip_file=.htaccess
This request targets sensitive files like .htaccess, potentially destabilizing the server or granting unauthorized file access.
Administrators using the WPLMS theme should take immediate action to secure their WordPress environments. No proof of active exploitation reported.
Recommended steps include:
- Deactivate and remove WPLMS Theme
- Strengthen Access Controls
- Implement File Integrity Monitoring
- Regular Backups
- Deploy a Web Application Firewall
Administrators urged to secure their WordPress installations, apply any available patches, and enforce strong access controls. These steps will help mitigate the chances of unauthorized access and safeguard critical site functions.
