Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

VibeThemes

Source -

CNA

BOS Name -

N/A

CNA CVEs -

22

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated ProductsRelated AssignersReports
22Vulnerabilities found
CVE-2015-10139
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.06% / 20.07%
||
7 Day CHG+0.01%
Published-19 Jul, 2025 | 11:23
Updated-22 Jul, 2025 | 13:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WPLMS Learning Management System for WordPress, WordPress LMS <= 1.8.4.1 - Privilege Escalation

The WPLMS theme for WordPress is vulnerable to Privilege Escalation in versions 1.5.2 to 1.8.4.1 via the 'wp_ajax_import_data' AJAX action. This makes it possible for authenticated attackers to change otherwise restricted settings and potentially create a new accessible admin account.

Action-Not Available
Vendor-VibeThemes
Product-WPLMS Learning Management System for WordPress, WordPress LMS
CWE ID-CWE-269
Improper Privilege Management
CVE-2025-32493
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 18.44%
||
7 Day CHG~0.00%
Published-09 Apr, 2025 | 16:09
Updated-09 Apr, 2025 | 20:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress BP Social Connect <= 1.6.2 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VibeThemes BP Social Connect allows Stored XSS. This issue affects BP Social Connect: from n/a through 1.6.2.

Action-Not Available
Vendor-VibeThemes
Product-BP Social Connect
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-56045
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-9.3||CRITICAL
EPSS-0.11% / 30.69%
||
7 Day CHG~0.00%
Published-31 Dec, 2024 | 13:17
Updated-31 Dec, 2024 | 15:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPLMS plugin < 1.9.9.5 - Unauthenticated Arbitrary Directory Deletion vulnerability

Path Traversal: '.../...//' vulnerability in VibeThemes WPLMS allows Path Traversal.This issue affects WPLMS: from n/a before 1.9.9.5.

Action-Not Available
Vendor-VibeThemes
Product-WPLMS
CWE ID-CWE-35
Path Traversal: '.../...//'
CVE-2024-56044
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.37% / 58.10%
||
7 Day CHG~0.00%
Published-31 Dec, 2024 | 13:17
Updated-31 Dec, 2024 | 15:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPLMS plugin <= 1.9.9 - Unauthenticated Arbitrary User Token Generation vulnerability

Authentication Bypass Using an Alternate Path or Channel vulnerability in VibeThemes WPLMS allows Authentication Bypass.This issue affects WPLMS: from n/a through 1.9.9.

Action-Not Available
Vendor-VibeThemes
Product-WPLMS
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2024-56043
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.10% / 27.48%
||
7 Day CHG~0.00%
Published-31 Dec, 2024 | 13:15
Updated-31 Dec, 2024 | 15:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPLMS plugin <= 1.9.9 - Unauthenticated Privilege Escalation vulnerability

Incorrect Privilege Assignment vulnerability in VibeThemes WPLMS allows Privilege Escalation.This issue affects WPLMS: from n/a through 1.9.9.

Action-Not Available
Vendor-VibeThemes
Product-WPLMS
CWE ID-CWE-266
Incorrect Privilege Assignment
CVE-2024-56040
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.10% / 27.48%
||
7 Day CHG~0.00%
Published-31 Dec, 2024 | 13:15
Updated-31 Dec, 2024 | 15:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress VibeBP plugin <= 1.9.9.4.1 - Unauthenticated Privilege Escalation vulnerability

Incorrect Privilege Assignment vulnerability in VibeThemes VibeBP allows Privilege Escalation.This issue affects VibeBP: from n/a through 1.9.9.4.1.

Action-Not Available
Vendor-VibeThemes
Product-VibeBP
CWE ID-CWE-266
Incorrect Privilege Assignment
CVE-2024-56042
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-9.3||CRITICAL
EPSS-0.18% / 39.63%
||
7 Day CHG~0.00%
Published-31 Dec, 2024 | 12:57
Updated-31 Dec, 2024 | 15:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPLMS plugin < 1.9.9.5.3 - Unauthenticated SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VibeThemes WPLMS allows SQL Injection.This issue affects WPLMS: from n/a before 1.9.9.5.3.

Action-Not Available
Vendor-VibeThemes
Product-WPLMS
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-56041
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-8.5||HIGH
EPSS-0.16% / 37.72%
||
7 Day CHG~0.00%
Published-31 Dec, 2024 | 12:57
Updated-31 Dec, 2024 | 15:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress VibeBP plugin < 1.9.9.5.1 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VibeThemes VibeBP allows SQL Injection.This issue affects VibeBP: from n/a before 1.9.9.5.1.

Action-Not Available
Vendor-VibeThemes
Product-VibeBP
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-56039
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-9.3||CRITICAL
EPSS-0.17% / 38.32%
||
7 Day CHG~0.00%
Published-31 Dec, 2024 | 12:55
Updated-31 Dec, 2024 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress VibeBP plugin < 1.9.9.7.7 - Unauthenticated SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VibeThemes VibeBP allows SQL Injection.This issue affects VibeBP: from n/a before 1.9.9.7.7.

Action-Not Available
Vendor-VibeThemes
Product-VibeBP
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-56046
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-10||CRITICAL
EPSS-0.25% / 47.84%
||
7 Day CHG~0.00%
Published-31 Dec, 2024 | 12:53
Updated-31 Dec, 2024 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPLMS plugin <= 1.9.9 - Unauthenticated Arbitrary File Upload vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from n/a through 1.9.9.

Action-Not Available
Vendor-VibeThemes
Product-WPLMS
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-56047
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-8.5||HIGH
EPSS-0.19% / 40.85%
||
7 Day CHG+0.02%
Published-18 Dec, 2024 | 18:58
Updated-18 Dec, 2024 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPLMS plugin < 1.9.9.5.3 - Subscriber+ SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VibeThemes WPLMS allows SQL Injection.This issue affects WPLMS: from n/a before 1.9.9.5.3.

Action-Not Available
Vendor-VibeThemes
Product-WPLMS
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-56053
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-7.6||HIGH
EPSS-0.15% / 36.73%
||
7 Day CHG+0.01%
Published-18 Dec, 2024 | 18:58
Updated-18 Dec, 2024 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPLMS plugin < 1.9.9.5.3 - Instructor+ SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VibeThemes WPLMS allows SQL Injection.This issue affects WPLMS: from n/a before 1.9.9.5.3.

Action-Not Available
Vendor-VibeThemes
Product-WPLMS
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-56048
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.23% / 45.57%
||
7 Day CHG+0.03%
Published-18 Dec, 2024 | 18:57
Updated-18 Dec, 2024 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPLMS plugin <= 1.9.9 - Arbitrary Option Update to Privilege Escalation vulnerability

Missing Authorization vulnerability in VibeThemes WPLMS allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WPLMS: from n/a through 1.9.9.

Action-Not Available
Vendor-VibeThemes
Product-WPLMS
CWE ID-CWE-862
Missing Authorization
CVE-2024-56050
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-9.9||CRITICAL
EPSS-0.28% / 50.92%
||
7 Day CHG+0.04%
Published-18 Dec, 2024 | 18:56
Updated-18 Dec, 2024 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPLMS plugin < 1.9.9.5.3 - Subscriber+ Arbitrary File Upload vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from n/a before 1.9.9.5.3.

Action-Not Available
Vendor-VibeThemes
Product-WPLMS
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-56052
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-9.9||CRITICAL
EPSS-0.28% / 50.92%
||
7 Day CHG+0.04%
Published-18 Dec, 2024 | 18:55
Updated-18 Dec, 2024 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPLMS plugin < 1.9.9.5.2 - Student+ Arbitrary File Upload vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from n/a before 1.9.9.5.2.

Action-Not Available
Vendor-VibeThemes
Product-WPLMS
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-56054
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-9.1||CRITICAL
EPSS-0.27% / 50.30%
||
7 Day CHG+0.04%
Published-18 Dec, 2024 | 18:53
Updated-18 Dec, 2024 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPLMS plugin < 1.9.9.5.2 - Instructor+ Arbitrary File Upload vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from n/a before 1.9.9.5.2.

Action-Not Available
Vendor-VibeThemes
Product-WPLMS
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-56057
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-9.9||CRITICAL
EPSS-0.28% / 50.92%
||
7 Day CHG+0.04%
Published-18 Dec, 2024 | 18:52
Updated-18 Dec, 2024 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPLMS plugin < 1.9.9.5.2 - Arbitrary File Upload vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from n/a before 1.9.9.5.2.

Action-Not Available
Vendor-VibeThemes
Product-WPLMS
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-56049
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-8.5||HIGH
EPSS-0.12% / 31.29%
||
7 Day CHG+0.02%
Published-18 Dec, 2024 | 18:46
Updated-18 Dec, 2024 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPLMS plugin < 1.9.9.5.2 - Subscriber+ Arbitrary File Deletion vulnerability

Path Traversal: '.../...//' vulnerability in VibeThemes WPLMS allows Path Traversal.This issue affects WPLMS: from n/a before 1.9.9.5.2.

Action-Not Available
Vendor-VibeThemes
Product-WPLMS
CWE ID-CWE-35
Path Traversal: '.../...//'
CVE-2024-56055
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-8.5||HIGH
EPSS-0.12% / 31.29%
||
7 Day CHG+0.02%
Published-18 Dec, 2024 | 18:42
Updated-18 Dec, 2024 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPLMS plugin < 1.9.9.5.2 - Arbitrary Directory Deletion vulnerability

Path Traversal: '.../...//' vulnerability in VibeThemes WPLMS allows Path Traversal.This issue affects WPLMS: from n/a before 1.9.9.5.2.

Action-Not Available
Vendor-VibeThemes
Product-WPLMS
CWE ID-CWE-35
Path Traversal: '.../...//'
CVE-2024-56051
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-8.5||HIGH
EPSS-0.21% / 43.93%
||
7 Day CHG+0.05%
Published-18 Dec, 2024 | 18:41
Updated-18 Dec, 2024 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPLMS plugin < 1.9.9.5 - Student+ Remote Code Execution (RCE) vulnerability

Improper Control of Generation of Code ('Code Injection') vulnerability in VibeThemes WPLMS allows Code Injection.This issue affects WPLMS: from n/a before 1.9.9.5.

Action-Not Available
Vendor-VibeThemes
Product-WPLMS
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-10470
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-32.94% / 96.74%
||
7 Day CHG~0.00%
Published-09 Nov, 2024 | 05:40
Updated-12 Nov, 2024 | 18:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WPLMS Learning Management System for WordPress <= 4.962 - Unauthenticated Arbitrary File Read and Deletion

The WPLMS Learning Management System for WordPress, WordPress LMS theme for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation and permissions checks in the readfile and unlink functions in all versions up to, and including, 4.962. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The theme is vulnerable even when it is not activated.

Action-Not Available
Vendor-VibeThemesvibethemes
Product-WPLMS Learning Management System for WordPress, WordPress LMSwordpress_learning_management_system_
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-36690
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-8.1||HIGH
EPSS-0.07% / 22.31%
||
7 Day CHG~0.00%
Published-11 Jul, 2023 | 12:01
Updated-07 Oct, 2024 | 17:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPLMS Theme < 4.900 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in VibeThemes WPLMS theme <= 4.900 versions.

Action-Not Available
Vendor-vibethemesVibeThemes
Product-wordpress_learning_management_system_WPLMS
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)