Code Execution Vulnerability Found in WPML Plugin Installed on 1M WordPress Sites

Share This Post

A critical vulnerability in the WPML multilingual plugin for WordPress could expose over one million websites to remote code execution (RCE).

Tracked as CVE-2024-6386 (CVSS score of 9.9), the bug could be exploited by an attacker with contributor-level permissions, the researcher who reported the issue explains.

WPML, the researcher notes, relies on Twig templates for shortcode content rendering, but does not properly sanitize input, which results in a server-side template injection (SSTI).

The researcher has published proof-of-concept (PoC) code showing how the vulnerability can be exploited for RCE.

“As with all remote code execution vulnerabilities, this can lead to complete site compromise through the use of webshells and other techniques,” explained Defiant, the WordPress security firm that facilitated the disclosure of the flaw to the plugin’s developer. 

CVE-2024-6386 was resolved in WPML version 4.6.13, which was released on August 20. Users are advised to update to WPML version 4.6.13 as soon as possible, given that PoC code targeting CVE-2024-6386 is publicly available.

However, it should be noted that OnTheGoSystems, the plugin’s maintainer, is downplaying the severity of the vulnerability.

“This WPML release fixes a security vulnerability that could allow users with certain permissions to perform unauthorized actions. This issue is unlikely to occur in real-world scenarios. It requires users to have editing permissions in WordPress, and the site must use a very specific setup,” OnTheGoSystems notes.

Advertisement. Scroll to continue reading.

WPML is advertised as the most popular translation plugin for WordPress sites. It offers support for over 65 languages and multi-currency features. According to the developer, the plugin is installed on over one million websites.

Related: Exploitation Expected for Flaw in Caching Plugin Installed on 5M WordPress Sites

Related: Critical Flaw in Donation Plugin Exposed 100,000 WordPress Sites to Takeover

Related: Several Plugins Compromised in WordPress Supply Chain Attack

Related: Critical WooCommerce Vulnerability Targeted Hours After Patch

This post was originally published on this site

More Articles
Article

Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups
  • Message this member
  • Add this member as a connection

Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

Report

You have already reported this .