WPML WP Plugin Vulnerability Risked 1M+ WordPress Websites

WordPress admins are advised to update their websites to receive plugin updates, especially if they use the WPML plugin. A critical vulnerability in the WPML plugin has been discovered by researchers, potentially allowing remote code execution attacks.

WPML WP Plugin Vulnerability Allowed Remote Code Execution

A security researcher known as “stealthcopter” found a critical vulnerability in the WPML WordPress plugin.

According to his blog post, this vulnerability could enable an authenticated remote attacker to execute malicious code on the targeted website.

The vulnerability is related to the handling of shortcodes within the plugin. Due to inadequate input sanitization when rendering shortcodes through Twig templates, server-side template injection (SSTI) becomes feasible. Therefore, an attacker with authenticated access to the site could inject malicious code.

The researcher responsibly disclosed the vulnerability through the Wordfence bug bounty program. The vulnerability, identified as CVE-2024-6386, was rated as critical with a CVSS score of 9.9. The Wordfence advisory describes the flaw as follows:

The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

The researcher provided a Proof of Concept (PoC) for the vulnerability in his blog post. He also stressed the importance of developers ensuring proper sanitization and validation of user input, especially during dynamic content rendering.

Patch Deployed

Upon receiving the researcher’s bug report, Wordfence collaborated with the plugin developers to address the vulnerability. Consequently, a patch was released for the flaw affecting all plugin versions up to v.4.6.12, with WPML 4.6.13 and WooCommerce Multilingual 5.3.7.

In addition to ensuring a timely fix for the vulnerability from the developers, Wordfence rewarded the researcher with a $1,639 bounty for the bug report.

The WPML plugin is a specialized WooCommerce plugin that provides multilingual and multicurrency support for websites. With over 100,000 active installations, it highlights the potential risk for websites due to plugin vulnerabilities. Therefore, it is essential for all WordPress admins using this plugin to update their sites with the latest plugin release.

We welcome your thoughts in the comments.