A critical security flaw was discovered in the WPML multilingual WordPress plugin that could allow authenticated users to execute arbitrary code remotely under certain circumstances.
Vulnerability, tracked as CVE-2024-6386 (CVSS score: 9.9), affects all versions of the plugin before 4.6.13, which was released on August 20, 2024.
The issue, which occurs due to the lack of input validation and sanitization, allows authenticated attackers with Contributor access and above to execute code on the server.
WPML is a popular plugin used to create multilingual WordPress sites. It has over a million active installs.
The stealthcopter security researcher who discovered and reported CVE-2024-6386 said the problem is in the plugin’s handling short codes which are used to insert message content such as audio, images and video.
“Specifically, the plugin uses Twig templates to render content in shortcodes, but fails to properly sanitize the input, resulting in Server-Side Template Injection (SSTI),” researcher said.
SSTI, as the name suggests, is happening where an attacker can use a custom template syntax to inject a malicious payload into a web template that is then executed on the server. An attacker could then use the flaw to execute arbitrary commands, effectively allowing them to take control of the site.
“This release of WPML fixes a security vulnerability that could allow users with certain permissions to perform unauthorized actions,” the plugin’s developers told OnTheGoSystems. said. “This problem is unlikely to occur in real-world scenarios. It requires users to have editing permission in WordPress, and the site must use very specific settings.”
Plugin users are advised to apply the latest patches to reduce potential threats.
