The developers of WPML have released an update to address several security issues that can be exploited to access website databases, delete content, and perform administrative actions.
WPML is a premium plugin designed for running fully multilingual websites with WordPress. The official WPML website shows that the application is installed on more than 400,000 commercial sites.
A total of four vulnerabilities have been identified and reported by Jouko Pynnonen, the CEO of Finland-based IT company Klikki Oy. According to the expert, the most serious flaw is an SQL injection that can be exploited by an unauthenticated attacker to read the contents of an affected website’s database, including password hashes and other user details.
“When WPML processed a HTTP POST request containing the parameter ‘action=wp-link-ajax’, the current language is determined by parsing the HTTP referer. The parsed language code is not checked for validity, nor SQL-escaped,” Pynnonen explained in an advisory. “By sending a carefully crafted referer value with the mentioned POST request parameter, an attacker can perform SQL queries on arbitrary tables and retrieve their results.”
Another serious issue allows the removal of content from websites, including pages, posts and menus. The flaw is caused by the lack of access control in the “menu sync” functionality, which allows administrators to keep WordPress menus consistent across different languages, Pynnonen said.
The last security hole identified by Pynnonen can be exploited by an unauthenticated attacker to bypass the WPML nonce check and perform any of the approximately 50 Ajax functions designed to be used by website administrators.
“The administrative ajax functions are protected with nonces to prevent unauthorized use. If the nonce check failed with $_REQUEST values, there was a secondary check that also had to fail before the request was denied,” the expert explained. “The problem is the mixed use of $_REQUEST and $_GET. If the above check succeeds, subsequent code again uses $_REQUEST instead of $_GET to determine the ajax action to perform.”
“If the attacker has a valid nonce generated by the target WordPress site - any plug-in or the core system - then they can pass the above check. They can then define a different ajax action in POST parameters to perform administrative functions without authentication,” he added.
The vulnerabilities were reported on March 2 and they were addressed by OnTheGoSystems last week with the release of WPML 3.1.9. However, since the update caused WPML to decode non-English URLs incorrectly, version 220.127.116.11 was also released to address this functionality bug.
“We take the security of our clients very seriously, so as soon as we noticed these possible exploits, we set to work on a version which fixes them,” WPML developers wrote in a blog post.
In September 2014, Pynnonen identified a critical XSS vulnerability in WordPress itself. The vulnerability could have been exploited by a remote attacker to compromise websites with the aid of specially crafted comments.