CVE-2024-10470: WPLMS Path Traversal Vulnerability

CVE-2024-10470 Overview

CVE-2024-10470 is a path traversal vulnerability in the WPLMS Learning Management System theme for WordPress, developed by Vibethemes. The flaw affects all versions up to and including 4.962. Unauthenticated attackers can read and delete arbitrary files on the server because the theme's readfile and unlink calls lack file path validation and permission checks. Deleting critical files such as wp-config.php forces WordPress into setup mode, enabling attackers to connect the site to an attacker-controlled database and achieve remote code execution. The theme remains exploitable even when it is not activated, broadening the attack surface to any site with the theme installed.

Critical Impact

Unauthenticated remote attackers can delete wp-config.php and pivot to full remote code execution on the underlying server.

Affected Products

• Vibethemes WPLMS Learning Management System for WordPress (theme)
• All versions up to and including 4.962
• Installations where the theme is present, even when not activated

Discovery Timeline

• 2024-11-09 - CVE-2024-10470 published to NVD
• 2025-12-23 - Last updated in NVD database

Technical Details for CVE-2024-10470

Vulnerability Analysis

The vulnerability is classified as a path traversal weakness [CWE-22]. The WPLMS theme exposes endpoints that pass user-controlled input directly to PHP's readfile and unlink functions. Neither function call is preceded by canonicalization of the supplied path, validation against an allowlist of permitted directories, or a capability check on the requesting user.

Because the entry points are reachable without authentication, any unauthenticated visitor can request the file operations. The theme's vulnerable code paths are also registered during initialization independent of activation state, so a deactivated but installed theme still serves the affected handlers.

Deleting wp-config.php triggers WordPress to enter its installation wizard on the next request. An attacker who reaches that wizard first can supply a remote database connection, create an administrator account, and upload a malicious plugin or theme to execute arbitrary PHP on the host.

Root Cause

The root cause is missing input validation and missing authorization. User-supplied file path parameters flow into readfile and unlink without sanitization, normalization, or restriction to a safe base directory. There is no current_user_can check or nonce verification protecting the affected handlers.

Attack Vector

Exploitation occurs over the network through standard HTTP requests to the WordPress site. The attacker sends a crafted request to the vulnerable theme endpoint containing a relative or absolute path. Sequences such as ../ allow traversal outside the theme directory to read or delete any file the web server process can access. No user interaction, credentials, or prior compromise are required.

Technical details and an indicator of compromise overview are documented in the Wordfence Vulnerability Analysis.

Detection Methods for CVE-2024-10470

Indicators of Compromise

• Missing or zero-byte wp-config.php on a previously functional WordPress installation
• WordPress installation wizard (/wp-admin/setup-config.php) being served unexpectedly on a production site
• Unexpected administrator accounts created shortly after a file-deletion event
• HTTP requests to WPLMS theme endpoints containing ../, encoded traversal sequences, or absolute filesystem paths in query parameters

Detection Strategies

• Inspect web server access logs for unauthenticated requests to /wp-content/themes/wplms/ handlers that include path parameters with traversal characters.
• Alert on PHP error logs reporting unlink or readfile calls against paths outside the theme directory.
• Monitor file integrity for wp-config.php, .htaccess, and core WordPress files; any deletion of these should generate a high-severity alert.

Monitoring Recommendations

• Enable file integrity monitoring on the WordPress webroot, with priority on configuration files.
• Forward web server, PHP, and WordPress audit logs to a centralized log platform for correlation against known WPLMS exploitation patterns.
• Track the EPSS score for this CVE — currently 48.485% at the 97.783 percentile — as an indicator of active exploitation likelihood.

How to Mitigate CVE-2024-10470

Immediate Actions Required

• Update the WPLMS Learning Management System theme to a version newer than 4.962 as soon as the vendor publishes a fixed release.
• If a fixed version is not yet available, remove the theme directory from wp-content/themes/ entirely; deactivation alone does not mitigate the issue.
• Restore wp-config.php from backup if it has been deleted, and rotate all database credentials and WordPress salts before bringing the site back online.
• Audit administrator accounts, installed plugins, and the uploads directory for attacker-introduced artifacts.

Patch Information

Refer to the vendor product page at ThemeForest Item Details for the latest WPLMS release. Confirm that the installed version is greater than 4.962 before considering the system patched.

Workarounds

• Block requests to vulnerable WPLMS endpoints at the web application firewall, with rules denying path parameters containing ../, URL-encoded traversal, or absolute paths.
• Restrict the web server user's filesystem permissions so it cannot delete wp-config.php or files outside wp-content/uploads/.
• Remove the theme directory from disk on any site that does not actively use WPLMS, since installation alone is sufficient for exploitation.

# Configuration example: remove the vulnerable theme from disk
cd /var/www/html/wp-content/themes/
rm -rf wplms/

# Restrict write permissions on wp-config.php
chown root:www-data /var/www/html/wp-config.php
chmod 640 /var/www/html/wp-config.php