Home technology cyber-security Critical WPML Plugin Flaw Exposes WordPress Sites to Remote Code Execution
Cyber Security
CIO Bulletin
2024-08-28
Updating to WPML plugin version 4.6.13 is essential due to a new vulnerability that permits authorized users to remotely execute code that is arbitrary.
The WordPress multilingual plugin WPML contains a serious security issue that could allow remote code execution on websites. This issue impacts all versions before 4.6.13, which was released on August 20, 2024. It is tracked as CVE-2024-6386 and has a CVSS score of 9.9.
Insufficient input validation and sanitization are the root of the problem, which enables authorized attackers with access levels up to Contributor to run arbitrary code on the server. The way the plugin handles shortcodes—which are used to embed media like photos and videos—is the source of the issue.
Security researcher stealthcopter, who discovered CVE-2024-6386, noted that the problem lies in the use of Twig templates for shortcode rendering. The plugin fails to properly sanitize input, resulting in server-side template injection (SSTI). SSTI enables attackers to inject malicious code into web templates, which can then be executed on the server, giving them control over the site.
In the most recent release, WPML maintainers OnTheGoSystems addressed the issue and noted that although the bug is significant, it requires editing permissions and a specific site setup to exploit. To be protected from any threats, users are still strongly encouraged to update to version 4.6.13.
Digital-marketing
Artificial-intelligence
Lifestyle-and-fashion
Food-and-beverage