Hey there, WordPress admins! It’s time to roll up your sleeves and update your websites once more to stay on top of plugin security. A critical vulnerability has been uncovered in the WPML plugin, putting websites at risk of remote code execution attacks.
Breaking News: WPML Plugin Vulnerability Exposed
Recently, a security researcher known as “stealthcopter” unearthed a major flaw in the WPML WordPress plugin.
In a detailed blog post, the researcher highlighted how this vulnerability could potentially allow a remote attacker to run malicious code on your website.
The vulnerability stems from the mishandling of shortcodes within the plugin, leading to server-side template injection (SSTI) through Twig templates. This means that an authenticated attacker could inject harmful code if they have access to the target site.
Wordfence, in their advisory, flagged this vulnerability as CVE-2024-6386 with a critical severity rating and a CVSS score of 9.9.
The flaw in the WPML plugin, up to version 4.6.12, allows for Remote Code Execution through Twig Server-Side Template Injection. This is due to a lack of input validation, enabling attackers with Contributor-level access and above to execute code on the server.
The researcher provided a proof of concept (PoC) in his blog post and stressed the importance of proper input validation and sanitization to prevent such vulnerabilities.
Security Patch Deployed
Thanks to the researcher’s report, Wordfence collaborated with the plugin developers to swiftly address the vulnerability. The fix was rolled out with WPML 4.6.13 and WooCommerce Multilingual 5.3.7.
In addition to ensuring a timely fix, Wordfence awarded the researcher a $1,639 bounty for his valuable bug report.
The WPML plugin, known for its multilingual and multicurrency support for WooCommerce websites, currently powers over 100,000 active installations. This highlights the importance of updating your site with the latest plugin release to mitigate potential risks.
We’d love to hear your thoughts on this issue. Share your comments below!
