Login Sign Up

CVE-2024-56042

9.3 CRITICAL
SQL Injection

📋 TL;DR

This is an unauthenticated SQL injection vulnerability in the WPLMS WordPress plugin that allows attackers to execute arbitrary SQL commands without authentication. It affects all WordPress sites running vulnerable versions of WPLMS, potentially compromising database integrity and confidentiality.

💻 Affected Systems

Products:
  • WPLMS WordPress Plugin
Versions: All versions before 1.9.9.5.3
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all WordPress installations with WPLMS plugin enabled, regardless of theme or other plugins.

📦 What is this software?

Wordpress Learning Management System by Vibethemes

View all CVEs affecting Wordpress Learning Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution via database functions.

🟠

Likely Case

Data exfiltration of sensitive information (user credentials, personal data), database manipulation, and potential site takeover.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database user privilege restrictions.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection vulnerabilities are commonly weaponized, and this one requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.9.5.3

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-3-unauthenticated-sql-injection-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WPLMS plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 1.9.9.5.3+ from WordPress.org and replace plugin files.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable WPLMS plugin until patched to prevent exploitation.

wp plugin deactivate wplms

Web Application Firewall Rules

all

Implement WAF rules to block SQL injection patterns targeting WPLMS endpoints.

🧯 If You Can't Patch

  • Implement network segmentation to isolate affected WordPress instances
  • Enable database activity monitoring and alerting for suspicious SQL queries

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for WPLMS version. If version is below 1.9.9.5.3, system is vulnerable.

Check Version:

wp plugin get wplms --field=version

Verify Fix Applied:

Confirm WPLMS plugin version is 1.9.9.5.3 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts from single IP
  • Unexpected database errors in WordPress logs

Network Indicators:

  • HTTP requests with SQL injection payloads to WPLMS endpoints
  • Unusual outbound database connections

SIEM Query:

source="web_server" AND (uri="*wplms*" AND (query="*UNION*" OR query="*SELECT*" OR query="*INSERT*" OR query="*DELETE*"))

📊 Metadata

CVE ID: CVE-2024-56042
CVSS v3 Score: 9.3 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
CWE: CWE-89
Published: December 31, 2024
Last Updated: December 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-56042, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)