Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Code Execution Vulnerability Found in WPML Plugin Installed on 1M WordPress Sites

A critical vulnerability in the WPML WordPress plugin could allow a remote attacker to execute arbitrary code on the server.

A critical vulnerability in the WPML multilingual plugin for WordPress could expose over one million websites to remote code execution (RCE).

Tracked as CVE-2024-6386 (CVSS score of 9.9), the bug could be exploited by an attacker with contributor-level permissions, the researcher who reported the issue explains.

WPML, the researcher notes, relies on Twig templates for shortcode content rendering, but does not properly sanitize input, which results in a server-side template injection (SSTI).

The researcher has published proof-of-concept (PoC) code showing how the vulnerability can be exploited for RCE.

“As with all remote code execution vulnerabilities, this can lead to complete site compromise through the use of webshells and other techniques,” explained Defiant, the WordPress security firm that facilitated the disclosure of the flaw to the plugin’s developer. 

CVE-2024-6386 was resolved in WPML version 4.6.13, which was released on August 20. Users are advised to update to WPML version 4.6.13 as soon as possible, given that PoC code targeting CVE-2024-6386 is publicly available.

However, it should be noted that OnTheGoSystems, the plugin’s maintainer, is downplaying the severity of the vulnerability.

“This WPML release fixes a security vulnerability that could allow users with certain permissions to perform unauthorized actions. This issue is unlikely to occur in real-world scenarios. It requires users to have editing permissions in WordPress, and the site must use a very specific setup,” OnTheGoSystems notes.

Advertisement. Scroll to continue reading.

WPML is advertised as the most popular translation plugin for WordPress sites. It offers support for over 65 languages and multi-currency features. According to the developer, the plugin is installed on over one million websites.

Related: Exploitation Expected for Flaw in Caching Plugin Installed on 5M WordPress Sites

Related: Critical Flaw in Donation Plugin Exposed 100,000 WordPress Sites to Takeover

Related: Several Plugins Compromised in WordPress Supply Chain Attack

Related: Critical WooCommerce Vulnerability Targeted Hours After Patch

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights