Multiple WordPress Plugins Vulnerabilities

Severity

High

Analysis Summary

CVE-2024-56047 CVSS:8.5

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VibeThemes WPLMS allows SQL Injection.This issue affects WPLMS: from n/a before 1.9.9.5.3.

CVE-2024-56048 CVSS:8.8

WPLMS plugin for WordPress could allow a remote authenticated attacker to gain elevated privileges on the system, caused by missing authorization vulnerability. By sending a specially crafted request, an authenticated attacker could exploit this vulnerability to access privileged functionality.

CVE-2024-56050 CVSS:9.9

WPLMS plugin for WordPress could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious PHP script, which could allow the attacker to execute arbitrary PHP code on the vulnerable system.

CVE-2024-56052 CVSS:9.9

WPLMS plugin for WordPress could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious PHP script, which could allow the attacker to execute arbitrary PHP code on the vulnerable system.

CVE-2024-56054 CVSS:9.1

Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from n/a before 1.9.9.5.2.

CVE-2024-56057 CVSS:9.9

Impact