Wordfence Bug Bounty Program Addresses WPLMS Vulnerability
/ 4 min read
Quick take - The Cybersecurity Month Spooktacular Haunt and WordPress Superhero Challenge, part of the Wordfence Bug Bounty Program running until November 11, 2024, encourages researchers to identify vulnerabilities in WordPress plugins and themes, highlighted by a recent discovery of a critical vulnerability in the WPLMS theme that allows unauthenticated attackers to read and delete server files, prompting Wordfence to implement protective measures and collaborate with the theme’s developers for a patch.
Fast Facts
- The Cybersecurity Month Spooktacular Haunt and WordPress Superhero Challenge is part of the Wordfence Bug Bounty Program, running until November 11, 2024, to identify vulnerabilities in WordPress plugins and themes with 1,000+ active installations.
- A significant vulnerability was discovered in the WPLMS theme, allowing unauthenticated attackers to read and delete critical files, including wp-config.php, posing severe risks of site takeovers.
- The researcher Foxyyy reported the vulnerability and received a $900 bounty; Wordfence issued a firewall rule for premium users on October 28, 2024, with free users to receive protection by November 27, 2024.
- VibeThemes released a patch for the vulnerability on November 8, 2024, and users are urged to update to the latest version (4.963) as all versions up to 4.962 are affected.
- The vulnerability arises from insufficient file path validation and permissions checks, highlighting the need for prompt action due to additional concerns found in the theme’s code.
Cybersecurity Month Spooktacular Haunt and WordPress Superhero Challenge
The Cybersecurity Month Spooktacular Haunt and WordPress Superhero Challenge is currently in progress as part of the Wordfence Bug Bounty Program. This program is set to run through November 11, 2024, and is designed to encourage researchers to identify vulnerabilities in WordPress plugins and themes.
Program Details
Eligible themes and plugins must have 1,000 or more active installations. All in-scope vulnerability types are open for research. Participants in the program can earn automatic bonuses for valid submissions, which range from 10% to 120%. Potential earnings for high-impact vulnerabilities can reach up to $31,200.
On October 19, 2024, a significant submission was made concerning an Arbitrary File Read and Deletion vulnerability found in the WPLMS theme, a premium WordPress theme with over 28,000 sales. The identified vulnerability allows unauthenticated attackers to read and delete arbitrary files on a server, including critical files like the wp-config.php file. Such vulnerabilities pose a severe risk, potentially leading to site takeovers and remote code execution.
Response and Mitigation
The vulnerability was reported through the Wordfence Bug Bounty Program by a researcher known as Foxyyy, who received a bounty of $900.00 for the submission. In response, Wordfence aims to enhance web security by investing in vulnerability research and collaborating with security researchers. To protect users, Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule on October 28, 2024, to protect against exploits targeting the vulnerability. Users of the free version of Wordfence will receive the same protection later, on November 27, 2024.
Following the identification of the vulnerability, Wordfence contacted the VibeThemes team on October 28 and November 4, 2024. A response was received from VibeThemes on November 5, 2024, and a patch for the vulnerability was released by the developer on November 8, 2024. Users are encouraged to update to the latest patched version of the WPLMS theme, which is 4.963.
Vulnerability Analysis
The vulnerability in the WPLMS theme stems from insufficient file path validation and involves permissions checks in the readfile and unlink functions. All versions up to and including 4.962 are affected. Notably, the WPLMS theme remains vulnerable even when not activated. The theme features various functionalities, including courses, quizzes, certificates, and badges. Code analysis has revealed additional concerns, as the theme employs specific code to download a created zip file during website content exports, further emphasizing the importance of addressing the vulnerability promptly.
Original Source: Read the Full Article Here
