Critical WPML Plugin Flaw Exposes WordPress Sites to Remote Code Execution

A critical security flaw has been disclosed in the WPML WordPress multilingual plugin that could allow authenticated users to execute arbitrary code remotely under certain circumstances.

The vulnerability, tracked as CVE-2024-6386 (CVSS score: 9.9), impacts all versions of the plugin before 4.6.13, which was released on August 20, 2024.

Arising due to missing input validation and sanitization, the issue makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

WPML is a popular plugin used for building multilingual WordPress sites. It has over one million active installations.

Security researcher stealthcopter, who discovered and reported CVE-2024-6386, said the problem lies in the plugin’s handling of shortcodes that are used to insert post content such as audio, images, and videos.

“Specifically, the plugin uses Twig templates for rendering content in shortcodes but fails to properly sanitize input, leading to server-side template injection (SSTI),” the researcher said.

SSTI, as the name implies, occurs when an attacker is able to use native template syntax to inject a malicious payload into a web template, which is then executed on the server. An attacker could then weaponize the shortcoming to execute arbitrary commands, effectively allowing them to take control of the site.

“This WPML release fixes a security vulnerability that could allow users with certain permissions to perform unauthorized actions,” the plugin maintainers, OnTheGoSystems, said. “This issue is unlikely to occur in real-world scenarios. It requires users to have editing permissions in WordPress, and the site must use a very specific setup.”

Users of the plugin are recommended to apply the latest patches to mitigate against potential threats.

Update

In a new post detailing the timeline of events, OnTheGoSystems said it has released WPML 4.6.13 to patch CVE-2024-6386 and WooCommerce Multilingual 5.3.7 to address a similar vulnerability that was reported by Patchstack.

It further emphasized that a successful attack requires a bad actor to have editing privileges on a WordPress site (i.e., a Contributor role and above) and that the issue has been fully resolved.

“That being said, the severity comes down to what types of users you have on your site,” the company said. “If you and your team are the sole admins/writers/editors on the site, there’s no one outside of you or your team that could exploit this vulnerability.”

“On the other hand, if you’re running a site with users that have Contributor-level access and you don’t know these persons personally, you might be more at risk.”

(The story was updated after publication to include additional details about the fix and its impact.)

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.