The major WordPress plugins appear to have some serious security flaws, so make sure you’re protected
- Two WordPress plugins contain 18 security flaws
- Most of them are considered crucial because, among other things, they allow RCE
- They are all patched now, so make sure to upgrade your plugins
Two premium WordPress plugins were found to contain more than a dozen vulnerabilities, some of which were considered critical.
This is according to the WordPress cybersecurity platform Patchstack, which discovered the problems in the website builder at the end of March 2024 and reported them to the developers. Since then all bugs have been fixed.
The bugs were found in WPLMS and VibeBP plugins.
Update plugins
WordPress powers Learning Management Systems (LMS), platforms that allow users to create, manage, and sell online courses directly from their WordPress website. LMS plugins integrate educational features and functionalities with WordPress, allowing teachers or organizations to deliver courses, track student progress, and engage students effectively.
One of the more popular LMS platforms out there is WPLMS, built by a company called VibeThemes. It has been purchased over 28,000 times and comes with tons of features like course creation and management, quizzes and assessments, membership and subscription support, and more.
VibeBP, on the other hand, is a WordPress plugin that integrates BuddyPress with WPLMS, improving its social learning features. It allows users to create communities by providing options for user profiles, activity streams, private messages and notifications. It is also built by VibeThemes.
Patchstack says it found 18 vulnerabilities, most of which were critical.
They allowed remote, unauthenticated attackers to upload arbitrary files, execute code, escalate privileges, and perform SQL injections. In other words, they could use the bugs to take over websites, steal sensitive data, and more. One bug – CVE-2024-56046 – even received the maximum score, 10/10, as it allows malicious actors to upload arbitrary files without authentication, potentially leading to remote code execution (RCE).
The full list of vulnerabilities and affected versions can be found at this link.
WPLMS users should ensure that their platform is upgraded to version 1.9.9.5.3 or newer, and VibeBP to 1.9.9.7.7 or newer.
As a rule of thumb, site owners should enforce secure file uploads, SQL query sanitization, and role-based access controls, according to Patchstack.
Via BleepingComputer