Cybersecurity researchers at Patchstack have uncovered a series of severe security vulnerabilities in the popular WPLMS WordPress theme and its associated plugins, potentially compromising over 28,000 educational websites worldwide. The findings have been coordinated with the WordPress security community and are tracked via the WordPress Security advisories.
Critical Security Flaws: Scope and Impact Analysis
The investigation revealed 18 distinct vulnerabilities within the WPLMS theme and VibeBP plugin ecosystem, with 10 classified as critical. These flaws enable unauthenticated attackers to perform arbitrary code execution, unauthorized file uploads, privilege escalation to administrator level, and SQL injection attacks — any one of which can result in complete site compromise.
Institutions Running WordPress with WPLMS LMS Plugin Installed
Any WordPress site running the WPLMS theme below version 1.9.9.5.3 or the VibeBP plugin below version 1.9.9.7.7 is vulnerable. This includes educational institutions, corporate training platforms, and e-learning marketplaces — particularly those using WooCommerce to process course payments. An unauthenticated attacker with access to the public-facing site can exploit these vulnerabilities without needing any login credentials.
Primary Risk Factors
- Unauthorized system access enabling full server takeover
- Exposure of student personal information and academic records
- Unauthorized modification or deletion of course content
- Financial system exposure through WooCommerce integration
- Potential for malware injection into course materials delivered to students
What Site Administrators Must Do Now
- Upgrade to WPLMS version 1.9.9.5.3 or later immediately via the WordPress admin dashboard or FTP.
- Update the VibeBP plugin to version 1.9.9.7.7 or newer — these two updates must be applied together.
- Review server access logs for suspicious POST requests to WPLMS file upload endpoints dating back to spring 2023.
- Deploy a Web Application Firewall (WAF) — such as Wordfence or Cloudflare WAF — and enable rules blocking unauthenticated file upload attempts.
- Audit all WordPress administrator accounts for unknown users and reset all admin passwords after patching.
Vulnerability Timeline and Resolution
The security flaws were initially identified in spring 2023, with Patchstack formally notifying Vibe Themes on March 31. The remediation process extended from April through November 2023, involving multiple rounds of patch testing and validation. Sites that have not yet applied the patches remain exposed to all 18 vulnerabilities.
