Crucial WPML Plugin Vulnerability Exposes WordPress Websites to Remote Code Execution
An important security vulnerability has been revealed in the WPML WordPress multilingual plugin that could permit authorized users to remotely execute arbitrary code under specific conditions.
The flaw, identified as CVE-2024-6386 (CVSS score: 9.9), affects all versions of the plugin before 4.6.13, which got released on August 20, 2024.
Emerging due to lack of input validation and sanitation, the problem enables authorized attackers with Contributor-level access or higher to execute code on the server.
WPML stands as a favored plugin utilized for developing multilingual WordPress sites, boasting over one million active installations.
Cybersecurity expert stealthcopter, the individual who found and reported CVE-2024-6386, highlighted that the issue originates in the plugin’s treatment of shortcodes used to insert post content including audio, images, and videos.
“In particular, the plugin utilizes Twig templates for rendering content in shortcodes but fails to adequately sanitize input, thus resulting in server-side template injection (SSTI),” the researcher stated.
SSTI, as the name suggests, takes place when an attacker manages to utilize native template syntax to inject a harmful payload into a web template, which is then carried out on the server. Subsequently, an attacker could utilize this vulnerability to execute arbitrary commands, effectively granting them control over the site.
“This WPML release addresses a security vulnerability that could allow users with specific permissions to carry out unauthorized actions,” mentioned the plugin maintainers, OnTheGoSystems, explained. “The probability of this issue occurring in real-world scenarios is low. It mandates users to have editing permissions in WordPress, and the site requires a highly particular setup.”
It is advised for users of the plugin to apply the most recent patches to safeguard against potential risks.
About Author
