CVE-2024-10470: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in VibeThemes WPLMS Learning Management System for WordPress, WordPress LMS
The WPLMS Learning Management System for WordPress, WordPress LMS theme for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation and permissions checks in the readfile and unlink functions in all versions up to, and including, 4.962. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The theme is vulnerable even when it is not activated.
AI Analysis
Technical Summary
The WPLMS Learning Management System for WordPress theme suffers from CWE-22: improper limitation of a pathname to a restricted directory. Specifically, the readfile and unlink functions do not properly validate file paths or check permissions, enabling unauthenticated attackers to arbitrarily read and delete files on the server. This vulnerability affects all versions up to 4.962 and is exploitable regardless of whether the theme is activated. The deletion of critical files such as wp-config.php can result in remote code execution. The CVSS 3.1 score is 9.8, indicating a critical severity with network attack vector, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability.
Potential Impact
An unauthenticated attacker can delete arbitrary files on the server hosting the vulnerable WordPress theme. This can lead to remote code execution if key files like wp-config.php are deleted, severely compromising the affected system's confidentiality, integrity, and availability. The vulnerability exists even if the theme is not activated, increasing the attack surface.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the affected WordPress installation and consider disabling or removing the vulnerable theme if possible. Monitor vendor channels for updates and apply patches promptly once available.
CVE-2024-10470: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in VibeThemes WPLMS Learning Management System for WordPress, WordPress LMS
Description
The WPLMS Learning Management System for WordPress, WordPress LMS theme for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation and permissions checks in the readfile and unlink functions in all versions up to, and including, 4.962. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The theme is vulnerable even when it is not activated.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The WPLMS Learning Management System for WordPress theme suffers from CWE-22: improper limitation of a pathname to a restricted directory. Specifically, the readfile and unlink functions do not properly validate file paths or check permissions, enabling unauthenticated attackers to arbitrarily read and delete files on the server. This vulnerability affects all versions up to 4.962 and is exploitable regardless of whether the theme is activated. The deletion of critical files such as wp-config.php can result in remote code execution. The CVSS 3.1 score is 9.8, indicating a critical severity with network attack vector, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability.
Potential Impact
An unauthenticated attacker can delete arbitrary files on the server hosting the vulnerable WordPress theme. This can lead to remote code execution if key files like wp-config.php are deleted, severely compromising the affected system's confidentiality, integrity, and availability. The vulnerability exists even if the theme is not activated, increasing the attack surface.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the affected WordPress installation and consider disabling or removing the vulnerable theme if possible. Monitor vendor channels for updates and apply patches promptly once available.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-10-28T15:48:33.963Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6df4b7ef31ef0b5914c9
Added to database: 2/25/2026, 9:47:32 PM
Last enriched: 4/9/2026, 7:01:13 PM
Last updated: 4/12/2026, 1:06:20 AM
Views: 15
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.