Themes Vulnerabilities

WPLMS < 1.9.9.5.3 - Authenticated (Subscriber+) Arbitrary File Upload

Description

The WPLMS plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to 1.9.9.5.3 (exclusive). This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Themes

wplms
Fixed in 1.9.9.5.3

References

CVE
CVE-2024-56050
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5983142d-550f-488f-a2d9-ee552ae8818f

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
e7cdcf96-158e-4618-af87-01e02a11a7e1

Timeline

Publicly Published
2024-12-17 (about 1 year ago)
Added
2025-01-08 (about 1 year ago)
Last Updated
2025-01-08 (about 1 year ago)

Other

Published
Title
Published
2024-05-10
Title
Kognetiks Chatbot for WordPress < 2.0.0 - Unauthenticated Arbitrary File Upload via chatbot_chatgpt_upload_file_to_assistant Function
Published
2021-04-11
Title
College Publisher Import <= 0.1 - Arbitrary File Upload to RCE
Published
2014-08-01
Title
Wordpress Levo-Slideshow - Arbitrary File Upload
Published
2021-06-28
Title
ProfilePress 3.0 - 3.1.3 - Arbitrary File Upload in Image Uploader Component
Published
2014-08-01
Title
LISL Last Image Slider 1.0 - Shell Upload