- Two WordPress Plugins Found With 18 Security Flaws
- Most of them are considered critical, as they allow CERs, among other things.
- They have all been patched already, so be sure to update your plugins.
Two premium WordPress plugins were found to have more than a dozen vulnerabilities, some of which were considered critical.
This is according to WordPress cybersecurity platform Patchstack, which found the issues in the website builder in late March 2024 and reported them to developers. All bugs have since been mitigated.
The bugs were found in the WPLMS and VibeBP plugins.
Plugin Update
WordPress enables learning management systems (LMS), platforms that allow users to create, manage, and sell online courses directly from their WordPress website. LMS plugins integrate educational features and functionality with WordPress, allowing instructors or organizations to deliver courses, track student progress, and engage students effectively.
One of the most popular LMS platforms is WPLMS, created by a company called VibeThemes. Already purchased over 28,000 times, it comes with numerous features such as course creation and management, quizzes and assessments, membership and subscription support, and more.
VibeBP, on the other hand, is a WordPress plugin that integrates BuddyPress with WPLMS, enhancing its social learning features. It allows users to create communities by providing options for user profiles, activity streams, private messages, and notifications. It was also built by VibeThemes.
Patchstack says it found 18 vulnerabilities, most of which were critical in severity.
They allowed remote, unauthenticated attackers to upload arbitrary files, execute code, escalate privileges, and perform SQL injections. In other words, they could use the bugs to take over websites, steal sensitive data, and more. One bug, CVE-2024-56046, even received the maximum score, 10/10, as it allows malicious actors to upload arbitrary files without authentication, which could lead to remote code execution (RCE).
The full list of vulnerabilities, as well as the affected versions, can be found at this link.
WPLMS users should ensure their platform is updated to version 1.9.9.5.3 or later, and VibeBP to version 1.9.9.7.7 or later.
As a general rule, site owners should enforce secure file uploads, SQL query sanitization, and role-based access controls, Patchstack said.
Through beepcomputer
