CVE-2024-56050: 
WordPress vulnerability analysis and mitigation

The WPLMS WordPress plugin contains an Unrestricted Upload of File with Dangerous Type vulnerability (CVE-2024-56050) that affects versions before 1.9.9.5.3. This vulnerability allows authenticated users with subscriber-level privileges to upload arbitrary files to the web server, potentially enabling remote code execution (Bleeping Computer, WPScan).

The vulnerability has been assigned a CVSS v3.1 base score of 9.9 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The security flaw stems from missing file type validation in the WPLMS plugin, which allows authenticated users with Subscriber-level access and above to bypass upload restrictions (Patchstack).

The vulnerability enables authenticated attackers with subscriber-level privileges to upload arbitrary files to the affected site's server. This capability could potentially lead to remote code execution, allowing attackers to execute malicious code on the compromised server (WPScan).

Users are strongly advised to upgrade to WPLMS version 1.9.9.5.3 or later to address this vulnerability. The fix has been implemented in the latest version to properly validate file uploads and prevent unauthorized file types from being uploaded to the server (ASEC).