Security Experts:

Connect with us

Hi, what are you looking for?



WPML WordPress Plugin Vulnerabilities Expose 400,000 Websites

The developers of WPML have released an update to address several security issues that can be exploited to access website databases, delete content, and perform administrative actions.

The developers of WPML have released an update to address several security issues that can be exploited to access website databases, delete content, and perform administrative actions.

WPML is a premium plugin designed for running fully multilingual websites with WordPress. The official WPML website shows that the application is installed on more than 400,000 commercial sites.

A total of four vulnerabilities have been identified and reported by Jouko Pynnonen, the CEO of Finland-based IT company Klikki Oy. According to the expert, the most serious flaw is an SQL injection that can be exploited by an unauthenticated attacker to read the contents of an affected website’s database, including password hashes and other user details.

“When WPML processed a HTTP POST request containing the parameter ‘action=wp-link-ajax’, the current language is determined by parsing the HTTP referer. The parsed language code is not checked for validity, nor SQL-escaped,” Pynnonen explained in an advisory. “By sending a carefully crafted referer value with the mentioned POST request parameter, an attacker can perform SQL queries on arbitrary tables and retrieve their results.”

Another serious issue allows the removal of content from websites, including pages, posts and menus. The flaw is caused by the lack of access control in the “menu sync” functionality, which allows administrators to keep WordPress menus consistent across different languages, Pynnonen said.

The researcher has also identified a reflected cross-site scripting (XSS) vulnerability in the WPML “reminder popup” code. An attacker can leverage the bug to execute arbitrary JavaScript in the targeted user’s browser.

The last security hole identified by Pynnonen can be exploited by an unauthenticated attacker to bypass the WPML nonce check and perform any of the approximately 50 Ajax functions designed to be used by website administrators.

“The administrative ajax functions are protected with nonces to prevent unauthorized use. If the nonce check failed with $_REQUEST values, there was a secondary check that also had to fail before the request was denied,” the expert explained. “The problem is the mixed use of $_REQUEST and $_GET. If the above check succeeds, subsequent code again uses $_REQUEST instead of $_GET to determine the ajax action to perform.”

“If the attacker has a valid nonce generated by the target WordPress site – any plug-in or the core system – then they can pass the above check. They can then define a different ajax action in POST parameters to perform administrative functions without authentication,” he added.

The vulnerabilities were reported on March 2 and they were addressed by OnTheGoSystems last week with the release of WPML 3.1.9. However, since the update caused WPML to decode non-English URLs incorrectly, version was also released to address this functionality bug.

“We take the security of our clients very seriously, so as soon as we noticed these possible exploits, we set to work on a version which fixes them,” WPML developers wrote in a blog post.

In September 2014, Pynnonen identified a critical XSS vulnerability in WordPress itself. The vulnerability could have been exploited by a remote attacker to compromise websites with the aid of specially crafted comments.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.