CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

WPML WordPress Plugin Vulnerabilities Expose 400,000 Websites

The developers of WPML have released an update to address several security issues that can be exploited to access website databases, delete content, and perform administrative actions.

The developers of WPML have released an update to address several security issues that can be exploited to access website databases, delete content, and perform administrative actions.

WPML is a premium plugin designed for running fully multilingual websites with WordPress. The official WPML website shows that the application is installed on more than 400,000 commercial sites.

A total of four vulnerabilities have been identified and reported by Jouko Pynnonen, the CEO of Finland-based IT company Klikki Oy. According to the expert, the most serious flaw is an SQL injection that can be exploited by an unauthenticated attacker to read the contents of an affected website’s database, including password hashes and other user details.

“When WPML processed a HTTP POST request containing the parameter ‘action=wp-link-ajax’, the current language is determined by parsing the HTTP referer. The parsed language code is not checked for validity, nor SQL-escaped,” Pynnonen explained in an advisory. “By sending a carefully crafted referer value with the mentioned POST request parameter, an attacker can perform SQL queries on arbitrary tables and retrieve their results.”

Another serious issue allows the removal of content from websites, including pages, posts and menus. The flaw is caused by the lack of access control in the “menu sync” functionality, which allows administrators to keep WordPress menus consistent across different languages, Pynnonen said.

The researcher has also identified a reflected cross-site scripting (XSS) vulnerability in the WPML “reminder popup” code. An attacker can leverage the bug to execute arbitrary JavaScript in the targeted user’s browser.

The last security hole identified by Pynnonen can be exploited by an unauthenticated attacker to bypass the WPML nonce check and perform any of the approximately 50 Ajax functions designed to be used by website administrators.

“The administrative ajax functions are protected with nonces to prevent unauthorized use. If the nonce check failed with $_REQUEST values, there was a secondary check that also had to fail before the request was denied,” the expert explained. “The problem is the mixed use of $_REQUEST and $_GET. If the above check succeeds, subsequent code again uses $_REQUEST instead of $_GET to determine the ajax action to perform.”

Advertisement. Scroll to continue reading.

“If the attacker has a valid nonce generated by the target WordPress site – any plug-in or the core system – then they can pass the above check. They can then define a different ajax action in POST parameters to perform administrative functions without authentication,” he added.

The vulnerabilities were reported on March 2 and they were addressed by OnTheGoSystems last week with the release of WPML 3.1.9. However, since the update caused WPML to decode non-English URLs incorrectly, version 3.1.9.1 was also released to address this functionality bug.

“We take the security of our clients very seriously, so as soon as we noticed these possible exploits, we set to work on a version which fixes them,” WPML developers wrote in a blog post.

In September 2014, Pynnonen identified a critical XSS vulnerability in WordPress itself. The vulnerability could have been exploited by a remote attacker to compromise websites with the aid of specially crafted comments.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.