A critical security flaw, identified as CVE-2024-6386 [3] [4] [5], has been discovered in the WPML Multilingual CMS plugin for WordPress [4] [6], allowing authenticated users with Contributor-level access and above to remotely execute arbitrary code [3] [8].
Description
This vulnerability affects all versions prior to 4.6.13 and is attributed to improper shortcode management and inadequate input validation, resulting in server-side template injection via Twig Server-Side Template Injection. Security researcher Mat Rollings uncovered the flaw [8], which received a CVSS rating of 9.9 out of 10 [5], and reported it through the Wordfence Bug Bounty program [2] [8], earning a bounty of $1,639 [8]. Despite potentially impacting over one million websites [6], the severity of the vulnerability has been downplayed by the WPML maintainer, emphasizing specific user permissions and site configurations required for exploitation. Cybersecurity researcher stealthcopter highlighted the importance of proper input sanitization to prevent such vulnerabilities [6], stressing the need for ongoing security measures in development and data processing [6]. The vulnerability has been addressed in the latest release, version 4.6.13 [1] [7], and users are strongly advised to apply the patch to protect against potential threats. In the past eight days [8], researchers have earned $21,037 in bounties for reporting critical vulnerabilities in GiveWP [8], LiteSpeed Cache [8], and WPML [8].
Conclusion
It is crucial for users to update to version 4.6.13 of the WPML Multilingual CMS plugin to mitigate the security risk posed by CVE-2024-6386. This incident underscores the importance of ongoing security measures in software development and data processing to prevent similar vulnerabilities in the future.
References
[1] https://www.techzine.eu/news/security/123813/one-million-wordpress-sites-vulnerable-due-to-leak-in-multilingualism-plugin/
[2] https://wp-content.co/wpml-plugin-patches-remote-code-execution-vulnerability/
[3] https://thehackernews.com/2024/08/critical-wpml-plugin-flaw-exposes.html
[4] https://www.channele2e.com/brief/more-than-1m-wordpress-sites-at-risk-from-multilingual-plugin
[5] https://www.csoonline.com/article/3497490/critical-plugin-flaw-opens-over-a-million-wordpress-sites-to-rce-attacks.html
[6] https://www.scmagazine.com/brief/critical-wordpress-plugin-bug-poses-compromise-risk-across-over-1m-sites
[7] https://www.krofeksecurity.com/critical-wpml-plugin-flaw-exposes-wordpress-sites-to-remote-code-execution/
[8] https://wptavern.com/remote-code-execution-vulnerability-patched-in-wpml-wordpress-plugin