cbcvebase.
CVE-2024-10470
published 2024-11-09

CVE-2024-10470: The WPLMS Learning Management System for WordPress, WordPress LMS theme for WordPress is vulnerable to arbitrary file read and deletion due to insufficient…

PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
34.09%
98.2th percentile
The WPLMS Learning Management System for WordPress, WordPress LMS theme for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation and permissions checks in the readfile and unlink functions in all versions up to, and including, 4.962. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The theme is vulnerable even when it is not activated.

Affected

1 ranges
VendorProductVersion rangeFixed in
vibethemeswordpress_learning_management_system< 4.9634.963

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/themes/wplms/setup/installer/envato-setup-export.php
urlgithub.com/RandomRobbieBF/CVE-2024-10470
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Wordpress WPLMS Learning Management System Directory Traversal"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wp-content/themes/wplms/setup/installer/envato-setup-export.php"; fast_pattern; http.request_body; content:"download_export_zip|3d|"; content:"zip_file|3d|"; reference:url,github.com/RandomRobbieBF/CVE-2024-10470; classtype:web-application-attack; sid:2057704; rev:1; metadata:affected_product Wordpress, created_at 2024_11_18, cve CVE_2024_10470, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_18, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)
  • Look for unauthenticated POST requests to the vulnerable installer script with body parameters 'download_export_zip=' and 'zip_file=' — these are the key indicators of directory traversal exploitation attempts.
  • The theme is exploitable even when not activated — do not rely on theme-activation status as a mitigation signal when hunting for exploitation.
  • Deletion of wp-config.php via the unlink function is a high-confidence indicator of active exploitation leading to RCE — monitor for unexpected removal of wp-config.php on WordPress hosts.
  • No authentication is required to trigger the vulnerability; treat any external source hitting the installer endpoint as suspicious.
  • ·The Snort/ET rule is scoped to inbound HTTP POST traffic to $HOME_NET; environments using SSL/TLS inspection must enable the SSLDecrypt deployment tag for coverage, as encrypted traffic will otherwise bypass detection.
  • ·Affected versions are all releases up to and including 4.962 of the WPLMS theme; ensure version-based suppression or patching logic accounts for this upper bound.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.