Code Execution Vulnerability Found in WPML Plugin Installed on 1M WordPress Sites

A critical vulnerability in the WPML WordPress plugin could allow a remote attacker to execute arbitrary code on the server.

A critical vulnerability in the WPML multilingual plugin for WordPress could expose over one million websites to remote code execution (RCE).

Tracked as CVE-2024-6386 (CVSS score of 9.9), the bug could be exploited by an attacker with contributor-level permissions, the researcher who reported the issue explains.

WPML, the researcher notes, relies on Twig templates for shortcode content rendering, but does not properly sanitize input, which results in a server-side template injection (SSTI).

The researcher has published proof-of-concept (PoC) code showing how the vulnerability can be exploited for RCE.

“As with all remote code execution vulnerabilities, this can lead to complete site compromise through the use of webshells and other techniques,” explained Defiant, the WordPress security firm that facilitated the disclosure of the flaw to the plugin’s developer.

CVE-2024-6386 was resolved in WPML version 4.6.13, which was released on August 20. Users are advised to update to WPML version 4.6.13 as soon as possible, given that PoC code targeting CVE-2024-6386 is publicly available.

However, it should be noted that OnTheGoSystems, the plugin’s maintainer, is downplaying the severity of the vulnerability.

“This WPML release fixes a security vulnerability that could allow users with certain permissions to perform unauthorized actions. This issue is unlikely to occur in real-world scenarios. It requires users to have editing permissions in WordPress, and the site must use a very specific setup,” OnTheGoSystems notes.

WPML is advertised as the most popular translation plugin for WordPress sites. It offers support for over 65 languages and multi-currency features. According to the developer, the plugin is installed on over one million websites.

Leave a Reply

Your email address will not be published. Required fields are marked *