Company Logo



Home technology cyber-security Critical WPML Plugin Flaw Exposes WordPress Sites to Remote Code Execution

Critical WPML Plugin Flaw Exposes WordPress Sites to Remote Code Execution


Cyber Security

 WPML plugin, security flaw, WordPress, Twig templates, cybersecurity

Updating to WPML plugin version 4.6.13 is essential due to a new vulnerability that permits authorized users to remotely execute code that is arbitrary.

The WordPress multilingual plugin WPML contains a serious security issue that could allow remote code execution on websites. This issue impacts all versions before 4.6.13, which was released on August 20, 2024. It is tracked as CVE-2024-6386 and has a CVSS score of 9.9.

Insufficient input validation and sanitization are the root of the problem, which enables authorized attackers with access levels up to Contributor to run arbitrary code on the server. The way the plugin handles shortcodes—which are used to embed media like photos and videos—is the source of the issue.

Security researcher stealthcopter, who discovered CVE-2024-6386, noted that the problem lies in the use of Twig templates for shortcode rendering. The plugin fails to properly sanitize input, resulting in server-side template injection (SSTI). SSTI enables attackers to inject malicious code into web templates, which can then be executed on the server, giving them control over the site.

In the most recent release, WPML maintainers OnTheGoSystems addressed the issue and noted that although the bug is significant, it requires editing permissions and a specific site setup to exploit. To be protected from any threats, users are still strongly encouraged to update to version 4.6.13.


Business News


Recommended News


Most Featured Companies

ciobulletin-aatrix software.jpg ciobulletin-abbey research.jpg ciobulletin-anchin.jpg ciobulletin-croow.jpg ciobulletin-keystone employment group.jpg ciobulletin-opticwise.jpg ciobulletin-outstaffer.jpg ciobulletin-spotzer digital.jpg ciobulletin-virgin incentives.jpg ciobulletin-wool & water.jpg ciobulletin-archergrey.jpg ciobulletin-canon business process services.jpg ciobulletin-cellwine.jpg ciobulletin-digital commerce bank.jpg ciobulletin-epic golf club.jpg ciobulletin-frannexus.jpg ciobulletin-growth institute.jpg ciobulletin-implantica.jpg ciobulletin-kraftpal technologies.jpg ciobulletin-national retail solutions.jpg ciobulletin-pura.jpg ciobulletin-segra.jpg ciobulletin-the keith corporation.jpg ciobulletin-vivolor therapeutics inc.jpg ciobulletin-cox.jpg ciobulletin-lanner.jpg ciobulletin-neuro42.jpg ciobulletin-Susan Semmelmann Interiors.jpg ciobulletin-alpine distilling.jpg ciobulletin-association of black tax professionals.jpg ciobulletin-c2ro.jpg ciobulletin-envirotech vehicles inc.jpg ciobulletin-leafhouse financial.jpg ciobulletin-stormforge.jpg ciobulletin-tedco.jpg ciobulletin-transigma.jpg ciobulletin-retrain ai.jpg
ciobulletin-abacus semiconductor corporation.jpg ciobulletin-agape treatment center.jpg ciobulletin-cloud4wi.jpg ciobulletin-exponential ai.jpg ciobulletin-lexrock ai.jpg ciobulletin-otava.jpg ciobulletin-resecurity.jpg ciobulletin-suisse bank.jpg ciobulletin-wise digital partners.jpg ciobulletin-appranix.jpg ciobulletin-autoreimbursement.jpg ciobulletin-castle connolly.jpg ciobulletin-cgs.jpg ciobulletin-dth expeditors.jpg ciobulletin-form.jpg ciobulletin-geniova.jpg ciobulletin-hot spring it.jpg ciobulletin-kirkman.jpg ciobulletin-matrix applications.jpg ciobulletin-power hero.jpg ciobulletin-rittenhouse.jpg ciobulletin-stt logistics group.jpg ciobulletin-upstream works.jpg ciobulletin-x2engine.jpg ciobulletin-kastle.jpg ciobulletin-logix.jpg ciobulletin-preclinical safety (PCS) consultants ltd.jpg ciobulletin-xcastlabs.jpg ciobulletin-american battery solutions inc.jpg ciobulletin-book4time.jpg ciobulletin-d&l education solutions.jpg ciobulletin-good good natural sweeteners llc.jpg ciobulletin-sigmetrix.jpg ciobulletin-syncari.jpg ciobulletin-tier44 technologies.jpg ciobulletin-xaana.jpg

Latest Magazines

© 2024 CIO Bulletin Inc. All rights reserved.