28,000 WordPress Sites Affected by Arbitrary File Read and Deletion Vulnerability in WPLMS WordPress Theme


🦸 👻 Calling all superheroes and haunters! Introducing the Cybersecurity Month Spooktacular Haunt and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program! Through November 11th, 2024:

  • All in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL researchers
  • Top-tier researchers earn automatic bonuses of between 10% to 120% for valid submissions
  • Pending report limits are increased for all
  • It’s possible to earn up to $31,200 for high impact vulnerabilities!

On October 19th, 2024, we received a submission for an Arbitrary File Read and Deletion vulnerability in WPLMS, a WordPress premium theme with more than 28,000 sales. This vulnerability makes it possible for unauthenticated threat actors to read and delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible.

Props to Foxyyy who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $900.00 for this discovery. Our mission is to Secure the Web, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure, which ultimately makes the entire web more secure.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on October 28, 2024. Sites using the free version of Wordfence will receive the same protection 30 days later on November 27, 2024.

We contacted the VibeThemes team on October 28, 2024, and on November 4, 2024, and received a response on November 5, 2024. After providing full disclosure details, the developer released a patch on November 8, 2024. We would like to commend the VibeThemes team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of WPLMS, version 4.963 at the time of this writing, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

Description: WPLMS Learning Management System for WordPress <= 4.962 – Unauthenticated Arbitrary File Read and Deletion
Affected Theme: WPLMS Learning Management System for WordPress
Theme Slug: wplms
Affected Versions: <= 4.962
CVE ID: CVE-2024-10470
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Foxyyy
Fully Patched Version: 4.963
Bounty Award: $900.00

The WPLMS Learning Management System for WordPress, WordPress LMS theme for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation and permissions checks in the readfile and unlink functions in all versions up to, and including, 4.962. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The theme is vulnerable even when it is not activated.

Technical Analysis

WPLMS is a WordPress premium theme which includes many features, such as courses, quizzes, certificates and badges.

Examining the code reveals that the theme uses a code in the envato-setup-export.php file to download a created zip file during the website content export.

}elseif( isset($_POST['download_export_zip']) ){
	// Download Created Zip file
	$filename = $_POST['zip_file'];

	if ( file_exists($filename) ) {
		if ( headers_sent() ){
			// HTTP header has already been sent
			return false;
		}
		// clean buffer(s)
		while ( ob_get_level() > 0 ){
			ob_end_clean();
		}
		ob_start();
		//Send headers to browser for zip download
		header('Content-Type: application/zip');
		header('Content-Disposition: attachment; filename="'.basename($filename).'"');
		header('Content-Length: ' . filesize($filename));

		ob_flush();
		ob_clean();
		readfile($filename);
		// delete zip file after download
		unlink($filename);
	}

The code does not include a capability check, and nothing prevents direct file access, so the file and the code are accessible unauthenticated. This also means that the website is vulnerable even if the theme is not activated, it’s enough if the vulnerable version of the theme is installed on the website.

Unfortunately, the zip_file parameter is not properly sanitized. The file’s content is read with the readfile() function for download, and then it is immediately deleted with the unlink() function.

This means that attackers can specify any file on the server to be read and then subsequently deleted. This makes it possible for unauthenticated attackers to read and delete any arbitrary file on the server, including the site’s wp-config.php file. Deleting wp-config.php forces the site into a setup state, allowing an attacker to initiate a site takeover by connecting it to a database under their control.

Disclosure Timeline

October 19, 2024 – We received the submission for the Arbitrary File Read and Deletion vulnerability in WPLMS via the Wordfence Bug Bounty Program.
October 28, 2024 – We validated the report and confirmed the proof-of-concept exploit.
October 28, 2024Wordfence Premium, Care, and Response users received a firewall rule to provide protection against any exploits that may target this vulnerability.
October 28, 2024 – We initiated contact via the vendor contact form, asking that they confirm the inbox for handling the discussion.
November 4, 2024 – After not receiving a response, we followed up by sending an email to the vendor’s other email address.
November 5, 2024 – The vendor confirmed the inbox for handling the discussion.
November 5, 2024 – We sent over the full disclosure details to the vendor. The vendor acknowledged the report and began working on a fix.
November 8, 2024 – The fully patched version of the theme, 4.963, was released.
November 27, 2024 – Wordfence Free users receive the same protection.

Conclusion

In this blog post, we detailed an Arbitrary File Read and Deletion vulnerability within the WPLMS theme affecting versions 4.962 and earlier. This vulnerability allows unauthenticated threat actors to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible. The vulnerability has been addressed in version 4.963 of the theme.

We encourage WordPress users to verify that their sites are updated to the latest patched version of WPLMS as soon as possible considering the critical nature of this vulnerability.

Wordfence users running Wordfence Premium, Wordfence Care, and Wordfence Response have been protected against these vulnerabilities as of October 28, 2024. Users using the free version of Wordfence will receive the same protection 30 days later on November 27, 2024.

If you know someone who uses this theme on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

Did you enjoy this post? Share it!

Comments

No Comments