I've spoken to the developers of Slickstack they are very security-focused and claim that the way WPLMS works is not safe and should be using the REST API.
This is quite an urgent issue for us as we need to add some new courses.
Hey Alex, this at best is a temporary fix but not long-term. Given the recent security vulnerabilities in WPLMS, I don't want to take chances or shortcuts that are not technically secure for WordPress.
do not worry about vulnerabilities those are taken by top priorities , with each upload api we have a sctrict mime type check , we even unzip the folder and check each file in that folder for potential malware there .
Hey Alex, I've tried to apply the fix you linked. The Slickstack configuration isn't the same as the default nginx. I was advised against doing this fix. I attempted it, I've quite literally spent the entire day between both methods troubleshooting. Now my site has gone down completely. I've had to rebuild the server from scratch and I'm currently in the process of restoring the website. Not exactly ideal.
Using the ?_method={HTTP_VEBR} query parameter method override:
Using the X-HTTP-Method-Override header method override:
Following the instructions, there are errors related to the "if" statement
more_set_headers "allow: GET, POST, HEAD, PURGE, PUT, DELETE, PATCH" always;
if ($request_method !~ ^(GET|POST|HEAD|PURGE|PUT|DELETE|PATCH)$) {
return 405;
}
I then try to add this to the slickstack production.confg (production website config file). I then get constant errors.
Neither option is working for me.
I'm using chatgpt paid version to support me in working through the errors but I'm getting absolutely nowhere.
Correction, we are using Tus.io and Fetch api (not plupload) , the DELETE needs to be enabled in the server. Our script breaks the package into smaller chunks and then merges on the server. Chunks are sent via Patch request. A delete zip call is made to remove the scorm zip file as well as the scrom package is unzipped on the server.
The PUT/PATCH requests are required to upload larger packages, the only way to remove this limit is by allowing a higher upload limit in PHP.
What is the exact issue can you share a screenshot of this ?
Hey Alex, no offence Ripul I just haven't spoken with you previously and would like to verify you before sharing my site's credentials. Can you please have Alex confirm this is OK to share details with you?
a. Delete is not supported : https://prnt.sc/03kYZ9Jcdlag , this can be ignored as DELETE runs to clear out any pending uploads for the same file in the PWA.
this is not a bug in the code we can fix, this is an Industry standard supported by a majority servers. Your server has delibertely disabled it, it needs to be enabled. Or you can set the upload limit equivalent to scorm package size.
we are using tus protocol which is used by youtube, vimeo etc. in vibebp
Just to clarfiy - when I use WP Local and upload a copy of my site. I get the same errors. I thought maybe it was slickstack and my hosting but it's entirely something wrong with WPLMS.
I did not understand the part where you say, if you disable wplms/vibebp the api is working. The api code is inside the vibebp, so if the plugin is disabled it can not work. https://www.cleverer.au/wp-json/vbp/v1/user note the /vbp/v1 <-- comes from vibebp.
Hi Ripul is that the latest version? I know that only the 2 most recent are safe to use. My site went down multiple times due to the past vulnerability with WP config being able to be deleted it was a very real problem for me.
Also I have someone trying to help me and he asked "please ask WPLMS to confirm that their plugin sends requests to the REST API using POST". Can you please let me know?
Hi Ripual, our course packages are often 30mb, doesn't seem that large by todays standards? We usually split courses into sections so 1 course might have 6-12 SCORM files.
I'm still unable to upload any packages even manually via ftp doesn't work due to the interface. This is business critical we're stuck at a standstill. Any help is appreciated. thank you!
An "tus: invalid length value" error in a TUS upload typically arises when the Upload-Length header, which specifies the total size of the file being uploaded, is missing, invalid, or doesn't match the actual file size.
--
so the issue is that the upload call is not bieng made. I am working on your site to fix this.
tus : is the latest technology in uploads, used by vimeo / youtube, afaik there is no plugin in wordpress currently supporting it except vibebp.
I think i have the issue. your server file system does not have correct permissions !
here's what is happening :
1. When we upload the package on your site. which is a .zip file
2. it gets un-zipped
3. it creates a folder
4. and places all the files inside the zip file into the folder, recurisively.
The #4 th step is where all issue happens.
It means the program PHP does not have file creation permissions, you can confirm the above with your web host.
--
we need 755 permisison levels for all the folders
---
Clues which made me come to above conclusion :
I upload a SCORM zip package, and upload starts fine but breaks at 32% (really odd% , depends on file size uploading first, 100% for another test package : https://prnt.sc/CnnnvewlYJAu )
Next time I upload the same scorm package, the second upload call does not happen as the Folder was already created in #1 but the server breaks file creation.
I wanted to confirm my finding so I wanted to install a File system plugin like FileBird or File Manager, but your web host has black listed them All File system plugins are blacklisted as they also allow file creation. https://prnt.sc/FIV9PbMed-sq [ this is not blacklisted on wordpress.org]
--
kindly consult your webhost if this can be enabled for our plugin vibebp.
the other option is to manually place the unzipped files in wp-content/uploads/package-uploads
thanks for the message, checking your site again...
your webhost's response is on assumption that its a code issue, but the code is working on all the servers , a coding issue would be replicable on all the sites & servers. At the moment, this is the only remaining case, all other cases have been resolved related to uploading.
I’ve reviewed the current configuration, and it appears that PATCH is not enabled. I would prefer to keep it that way, as enabling it could introduce unnecessary security vulnerabilities. Given that my business focuses on delivering cyber security education, maintaining a high level of security on our website is absolutely critical.
That said, I want to raise this constructively—not as a criticism, but as an observation. It seems the issue may relate to WPLMS not fully adhering to best practices. Specifically, using POST for course uploads and extracting content into a designated temporary directory (rather than the general uploads folder) would be a more secure and standard-compliant approach. Using the uploads directory for this purpose could also present a security risk.
I’m not comfortable making concessions on security, especially where there are established best practices that can be followed to mitigate risk.
Your decision of not enabling Patch is a big conceptual mistake, I will try my best to explain things :
Our code is secure ( of course everyone says it ) but recently our entire framework was scanned by Patchstack, all code, line by line and the issues they raised were resolved in updates.
Our Product is more secure than WordPress. A user logging in to WPLMS does not have access to WP-admin, we use a different login system and only expose our API's. This is by far more secure than any platform which uses WordPress. Logged in WordPRess traffic is the #1 source of all hacks that happen. These are benefits of headless architechture. Just ask chatGPT is headLess is more secure. https://prnt.sc/chS4MfvwgRtJ
Functioning : From what we have we create a token to upload every file, so the rest API path for patch request is unique for every upload and gets cleared as soon as the upload concludes. This level of security more than what standard wordpress.
If you do not enable patch, then you have to increase your upload limit to upload scorm packages ( to the size of the package) which is by far very poor in forming uploads.
a. Upload a 10gb file, you need to have 10gb upload limit.
b. a 10gb file would be sent form your computer into packets to the server, if 1 packet goes missing, the entire 10gb upload would restart , this happens internally in the network.
c. during that entire time the server is busy handling upload file.
d. The upload will be put up in the temporary memory and consume ram of the server.
This infact is a classic way of DDOS attack on a server by uploading an incredibly large file into server and poorly handled upload forms often break the server.
A PATCH request is as secure as as a POST request.
By breaking a 10gb file into smaller chunks of 2mb, the server handles 2mb file at a time, consuming 2mg memory only. If a packages goes missing only 2mb needs to restart, this is huge win factor when it comes to part file uploading.
Of course it is your decision , we can only offer advise.
Hi Alex, we are hosting WPLMS on NGINX now and use a stack called SlickStack.io its very good, very fast, very secure for hosting our site.
When I try to upload SCORM content I get errors
https://www.cleverer.au/wp-json/vbp/v1/user/upload_media_stream?upload
Request Method:
DELETE
Status Code:
405 Method Not Allowed
https://github.com/littlebizzy/slickstack/issues/116
I've spoken to the developers of Slickstack they are very security-focused and claim that the way WPLMS works is not safe and should be using the REST API.
This is quite an urgent issue for us as we need to add some new courses.
Hi the solution to this mentioned here :
https://gridpane.com/kb/making-nginx-accept-put-delete-and-patch-verbs/
one is to put some get param in our api which is not possible since we are using Plupload js api to upload the packages in chunks there .
and its api makes the request to upload the file to server .
the other method is configure your server to allow the requests .
Hey Alex, this at best is a temporary fix but not long-term. Given the recent security vulnerabilities in WPLMS, I don't want to take chances or shortcuts that are not technically secure for WordPress.
Can you use Axios or Fetch API?
do not worry about vulnerabilities those are taken by top priorities , with each upload api we have a sctrict mime type check , we even unzip the folder and check each file in that folder for potential malware there .
Hey Alex, I've tried to apply the fix you linked. The Slickstack configuration isn't the same as the default nginx. I was advised against doing this fix. I attempted it, I've quite literally spent the entire day between both methods troubleshooting. Now my site has gone down completely. I've had to rebuild the server from scratch and I'm currently in the process of restoring the website. Not exactly ideal.
Using the ?_method={HTTP_VEBR} query parameter method override:
Using the X-HTTP-Method-Override header method override:
Following the instructions, there are errors related to the "if" statement
more_set_headers "allow: GET, POST, HEAD, PURGE, PUT, DELETE, PATCH" always; if ($request_method !~ ^(GET|POST|HEAD|PURGE|PUT|DELETE|PATCH)$) { return 405; }I then try to add this to the slickstack production.confg (production website config file). I then get constant errors.
Neither option is working for me.
I'm using chatgpt paid version to support me in working through the errors but I'm getting absolutely nowhere.
Correction, we are using Tus.io and Fetch api (not plupload) , the DELETE needs to be enabled in the server. Our script breaks the package into smaller chunks and then merges on the server. Chunks are sent via Patch request. A delete zip call is made to remove the scorm zip file as well as the scrom package is unzipped on the server.
The PUT/PATCH requests are required to upload larger packages, the only way to remove this limit is by allowing a higher upload limit in PHP.
What is the exact issue can you share a screenshot of this ?
p.s : This seems to be a server issue.
Thank You
WPLMS Documentation: https://docs.wplms.io/
WPLMS Youtube tutorial videos : https://www.youtube.com/@vibethemes
Hi Alex,
When I upload SCORM i.e. a unit this is the error I receive:
tus: invalid or missing offset value, originated from request (method: HEAD, url: https://www.cleverer.au/wp_json/vbp/v1/user/upload_media_stream/IhSTpy?upload, response code: 204, response text: , request id: n/a)
I've attached screenshots.
Thanks Colin
Attached files: clevereruploaderrorsnippet.png
clevereruploaderror.png
Can you confirm the Put & PATCH requests are allowed.
Also share site link and WP admin details. we can debug to see further.
in a private reply.
Hey Alex, no offence Ripul I just haven't spoken with you previously and would like to verify you before sharing my site's credentials. Can you please have Alex confirm this is OK to share details with you?
Hey, Alex is a support executive and is on vacation.
He wont be coming soon.
You can share the credentials in a private reply.
Thank You
WPLMS Documentation: https://docs.wplms.io/
WPLMS Youtube tutorial videos : https://www.youtube.com/@vibethemes
there are 2 issues
a. Delete is not supported : https://prnt.sc/03kYZ9Jcdlag , this can be ignored as DELETE runs to clear out any pending uploads for the same file in the PWA.
b. Patch is not supported in the server : https://prnt.sc/PBHNHgt5M7pv
you will need to modify nginx.conf to support this. I found a suitable article to help you on thi : https://gridpane.com/kb/making-nginx-accept-put-delete-and-patch-verbs/
Hey Ripul,
I've been given that link already and spent 2-3days trying that and nothing worked :(
Is there any other method for uploading scorm? I literally spent days trying to get that fix you listed to work
this is not a bug in the code we can fix, this is an Industry standard supported by a majority servers. Your server has delibertely disabled it, it needs to be enabled. Or you can set the upload limit equivalent to scorm package size.
we are using tus protocol which is used by youtube, vimeo etc. in vibebp
https://tus.io/faq#how-does-tus-work
and it requires patch to be supported.
is there an alternative method of me uploading courses? e.g. ftp ?
Yes, since we are reading from directory, you can upload the scorm package directly in the directory and unzip it.
this is the directory path :
wp-content/uploads/package_uploads
if Instructor privacy enabled
wp-content/uploads/package_uploads/{numeric userid}
--
here you unzip the scorm package inside its directory.
Hey team, sorry had a break over Christmas. I uploaded manually via ftp but it hasn't resolved the issue.
Here's a video link I have also included voice over of the issue:
https://www.dropbox.com/scl/fi/nz1m74yw83hhoq6preu2e/WPLMSUploadFTPIssues.mp4?rlkey=6mfd85thfbgu38ahu8bbfm89a&dl=0
We have an update coming up of vibebp with a fix to an issue related to package uploads
thank you, is there an approximate ETA?
When you manually placed the package, you should be able to see it in existing packages section.
the bug fix is related to uploads
Hi Ripul, as per my video I can't see it in the package section it doesn't expand enough.
Regardless if the upload system is fixed I should be fine. Is there an approximate time frame for when that upload bug fix is applied?
Thanks Colin
This gets resolved in WPLMS plugin update 1.9.9.5.4
please update, you will be able to upload packagees now
Just to clarfiy - when I use WP Local and upload a copy of my site. I get the same errors. I thought maybe it was slickstack and my hosting but it's entirely something wrong with WPLMS.
This is business critical!
Checking site..
I did not understand the part where you say, if you disable wplms/vibebp the api is working. The api code is inside the vibebp, so if the plugin is disabled it can not work. https://www.cleverer.au/wp-json/vbp/v1/user note the /vbp/v1 <-- comes from vibebp.
FYI. I also hosted the site on an apache server instead of nginx, still had the exact same errors.
I understand,
can you check if this version of the plugin is working : https://drive.google.com/file/d/1XTntn0xCHV8WchxfEW75TZi_dXpT7jwp/view?usp=sharing
another user who reported this issue , his issue was resolved with above version. https://prnt.sc/XlL-4GyvYTMY
Hi Ripul is that the latest version? I know that only the 2 most recent are safe to use. My site went down multiple times due to the past vulnerability with WP config being able to be deleted it was a very real problem for me.
yes this is latest verison with some changes which have worked for some users but not for everyone.
you have latest the version already installed in your site,
https://www.cleverer.au/wp-content/plugins/wplms_plugin/changelog.txt
--
to revert back to the original version of the plugin simply grab your purchase code and replace it in below link
https://wplms.io/verify-purchase/?purchase_code=YOUR-PURCHASE-CODE&plugin=wplms.io/wplms_plugin.zip
Hi Ripul,
I backed up the wplms_plugins on my site. Uploaded this plugin and replaced it/updated it. Tried to upload a SCORM and the issue remains
Request URL:
https://www.cleverer.au/wp-json/vbp/v1/user/upload_media_stream?upload
Request Method:
DELETE
Status Code:
404 Not Found
Remote Address:
104.21.19.118:443
Referrer Policy:
strict-origin-when-cross-origin
Thanks Colin
Also I have someone trying to help me and he asked "please ask WPLMS to confirm that their plugin sends requests to the REST API using POST". Can you please let me know?
Yes, all rest api are POST
the package name should not be very large we have seen this also causing issues.
Hi Ripual, our course packages are often 30mb, doesn't seem that large by todays standards? We usually split courses into sections so 1 course might have 6-12 SCORM files.
I'm still unable to upload any packages even manually via ftp doesn't work due to the interface. This is business critical we're stuck at a standstill. Any help is appreciated. thank you!
Scorm upload update is live : https://wplms.io/support/knowledge-base/wplms-plugin-1-9-9-6/
Hi Ripul,
I have updated, rebooted the server and tested with the same error upload_media_stream?upload not found 404.
the first 404 can be ignored, as it is deleting the previous upload attempt.
rest i see the upload process began and the chunks were uploaded.
so it seems upload is working.
Can you please clarify this ?
if possible share site details and i can check this on your site.
this is working correctly, refer video :
https://jmp.sh/ynCTN32I
thank you, I am checking this...
This is working fine in my local
Uploading package : https://jmp.sh/1b2lechd
running package : https://prnt.sc/-rDjSUDBf5_E
i am checking your site for more details.
I will update you on this topic.
the issue is not related to ajax. but missing upload call in your site, https://prnt.sc/ZWdQ4kYPYo6v
works perfectly in our test sites.
the error : tus: invalid length value
-- gemini :
I think i have the issue. your server file system does not have correct permissions !
here's what is happening :
1. When we upload the package on your site. which is a .zip file
2. it gets un-zipped
3. it creates a folder
4. and places all the files inside the zip file into the folder, recurisively.
The #4 th step is where all issue happens.
It means the program PHP does not have file creation permissions, you can confirm the above with your web host.
--
we need 755 permisison levels for all the folders
---
Clues which made me come to above conclusion :
--
kindly consult your webhost if this can be enabled for our plugin vibebp.
the other option is to manually place the unzipped files in wp-content/uploads/package-uploads
Hey Ripul,
These are comments from my developer.
new
new
thanks for the message, checking your site again...
your webhost's response is on assumption that its a code issue, but the code is working on all the servers , a coding issue would be replicable on all the sites & servers. At the moment, this is the only remaining case, all other cases have been resolved related to uploading.
the issue is specifically now with PATCH requests
Hi Ripul, you said a week ago that all rest api are POST but PATCH is not the same as POST?
Ripul replied1 week ago on March 12, 2025 at 6:11pm
Yes, all rest api are POST
I am sorry, I clearly missed this. This is the only instance where we use a PATCH , yes, PATCH is not the same.
Have you had any success?
can you confirm from webhost about PATCH is enabled ?
Hi Ripul,
I’ve reviewed the current configuration, and it appears that PATCH is not enabled. I would prefer to keep it that way, as enabling it could introduce unnecessary security vulnerabilities. Given that my business focuses on delivering cyber security education, maintaining a high level of security on our website is absolutely critical.
That said, I want to raise this constructively—not as a criticism, but as an observation. It seems the issue may relate to WPLMS not fully adhering to best practices. Specifically, using POST for course uploads and extracting content into a designated temporary directory (rather than the general uploads folder) would be a more secure and standard-compliant approach. Using the uploads directory for this purpose could also present a security risk.
I’m not comfortable making concessions on security, especially where there are established best practices that can be followed to mitigate risk.
Your decision of not enabling Patch is a big conceptual mistake, I will try my best to explain things :
Our code is secure ( of course everyone says it ) but recently our entire framework was scanned by Patchstack, all code, line by line and the issues they raised were resolved in updates.
Our Product is more secure than WordPress. A user logging in to WPLMS does not have access to WP-admin, we use a different login system and only expose our API's. This is by far more secure than any platform which uses WordPress. Logged in WordPRess traffic is the #1 source of all hacks that happen. These are benefits of headless architechture. Just ask chatGPT is headLess is more secure. https://prnt.sc/chS4MfvwgRtJ
Functioning : From what we have we create a token to upload every file, so the rest API path for patch request is unique for every upload and gets cleared as soon as the upload concludes. This level of security more than what standard wordpress.
If you do not enable patch, then you have to increase your upload limit to upload scorm packages ( to the size of the package) which is by far very poor in forming uploads.
a. Upload a 10gb file, you need to have 10gb upload limit.
b. a 10gb file would be sent form your computer into packets to the server, if 1 packet goes missing, the entire 10gb upload would restart , this happens internally in the network.
c. during that entire time the server is busy handling upload file.
d. The upload will be put up in the temporary memory and consume ram of the server.
This infact is a classic way of DDOS attack on a server by uploading an incredibly large file into server and poorly handled upload forms often break the server.
A PATCH request is as secure as as a POST request.
By breaking a 10gb file into smaller chunks of 2mb, the server handles 2mb file at a time, consuming 2mg memory only. If a packages goes missing only 2mb needs to restart, this is huge win factor when it comes to part file uploading.
Of course it is your decision , we can only offer advise.