A recently discovered security vulnerability in the WPML (WordPress Multilingual) plugin has put over a million WordPress websites at significant risk. Attackers could exploit this vulnerability to execute arbitrary code on affected servers through Remote Code Execution (RCE), potentially gaining full control over the compromised websites.
This security flaw, known as CVE-2024-6386, affects all versions of the WPML plugin up to and including version 4.6.12. Websites where users have Contributor or higher-level permissions are particularly vulnerable, as these users could exploit the vulnerability.
The issue was identified by a security researcher known as “stealth copter,” who responsibly reported the problem through the Wordfence Bug Bounty program and received a reward of $1,639 for the discovery.
Short technical analysis of the WPML code problem
The problem stems from insufficient validation and sanitization of user inputs when using Twig, a popular template engine. Specifically, the vulnerability affects the render()
function in the WPML_LS_Public_API
class, which processes user templates without adequate security measures.
This vulnerability could allow attackers to perform server-side template injection attacks and execute malicious code.
Urgent action required
It is crucial that all users update to the latest version of the WPML plugin to minimize the risk of an attack. The high CVSS score of 9.9 emphasizes the urgency of this update. This incident once again highlights the importance of implementing robust security practices and regularly updating plugins to ensure the safety of your WordPress environment.
With the increasing complexity of plugins, incidents like this remind us to remain vigilant and proactive in securing our websites.
Looking for Support?
If you’re looking for a maintenance service to handle these important security updates for you, feel free to check out this page.
I’ll make sure your website stays up-to-date and secure!