SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Code Execution Vulnerability Found in WPML Plugin Installed on 1M WordPress Sites

A critical vulnerability in the WPML WordPress plugin could allow a remote attacker to execute arbitrary code on the server.

A critical vulnerability in the WPML multilingual plugin for WordPress could expose over one million websites to remote code execution (RCE).

Tracked as CVE-2024-6386 (CVSS score of 9.9), the bug could be exploited by an attacker with contributor-level permissions, the researcher who reported the issue explains.

WPML, the researcher notes, relies on Twig templates for shortcode content rendering, but does not properly sanitize input, which results in a server-side template injection (SSTI).

The researcher has published proof-of-concept (PoC) code showing how the vulnerability can be exploited for RCE.

“As with all remote code execution vulnerabilities, this can lead to complete site compromise through the use of webshells and other techniques,” explained Defiant, the WordPress security firm that facilitated the disclosure of the flaw to the plugin’s developer. 

CVE-2024-6386 was resolved in WPML version 4.6.13, which was released on August 20. Users are advised to update to WPML version 4.6.13 as soon as possible, given that PoC code targeting CVE-2024-6386 is publicly available.

Advertisement. Scroll to continue reading.

However, it should be noted that OnTheGoSystems, the plugin’s maintainer, is downplaying the severity of the vulnerability.

“This WPML release fixes a security vulnerability that could allow users with certain permissions to perform unauthorized actions. This issue is unlikely to occur in real-world scenarios. It requires users to have editing permissions in WordPress, and the site must use a very specific setup,” OnTheGoSystems notes.

WPML is advertised as the most popular translation plugin for WordPress sites. It offers support for over 65 languages and multi-currency features. According to the developer, the plugin is installed on over one million websites.

Related: Exploitation Expected for Flaw in Caching Plugin Installed on 5M WordPress Sites

Related: Critical Flaw in Donation Plugin Exposed 100,000 WordPress Sites to Takeover

Related: Several Plugins Compromised in WordPress Supply Chain Attack

Related: Critical WooCommerce Vulnerability Targeted Hours After Patch

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: A Step-by-Step Approach to AI Governance
April 28, 2026

With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment.

Register

Virtual Event: Threat Detection and Incident Response Summit
May 20, 2026

Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization.

Register

People on the Move

MongoDB has appointed Doug Bowers as Chief Information Security Officer.

Ben Wilkens has been promoted to Director of Cybersecurity at NMFTA.

Cato Networks has appointed Meital Koren as Chief Legal Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.