Malicious actors could leverage a new critical path traversal issue impacting WordPress learning management system theme WPLMS, tracked as CVE-2024-10470, to facilitate remote code execution and arbitrary file compromise, The Cyber Express reports.
Exploitation of the vulnerability, which arises from lacking file validation in the file reading and deletion-managing functions, could be conducted through the delivery of specially crafted HTTP POST requests to all all WPLMS versions up to 4.962, which would then allow critical file reading or deletion, according to cybersecurity researcher Friderika Baranyai who identified and reported the bug. Organizations' admins have been recommended to not only immediately deactivate and remove the WPLMS theme but also bolster access controls and ensure file integrity monitoring. Aside from performing regular WordPress file backups, admins should also adopt a web application firewall and the latest version 4.963 of the theme to prevent attacks that could compromise system control and data integrity.
