Pierluigi Paganini August 27, 2024

A critical flaw in the WPML WordPress plugin, which is installed on 1 million websites, could allow potential compromise of affected sites.

The WPML Multilingual CMS Plugin for WordPress is installed on over 1 million sites. An authenticated (Contributor+) Remote Code Execution (RCE) vulnerability, tracked CVE-2024-6386 (CVSS score of 9.9), in WPML Plugin potentially allows the compromise of impacted websites.

WPML makes it easy to build multilingual sites and run them.

“The vulnerability lies in the handling of shortcodes within the WPML plugin. Specifically, the plugin uses Twig templates for rendering content in shortcodes but fails to properly sanitize input, leading to server-side template injection (SSTI).” reads a report published by the researcher stealthcopter, who discovered and responsibly reported this issue through the Wordfence Bug Bounty Program. The researcher earned a bounty of $1,639.00 for this discovery.

The WPML WordPress plugin relies on Twig templates for rendering shortcode content but fails to properly sanitize input, leading to a server-side template injection (SSTI) vulnerability. This flaw can be exploited for remote code execution (RCE), as demonstrated by proof-of-concept (PoC) code published by the researcher.

“This vulnerability is a classic example of the dangers of improper input sanitization in templating engines. Developers should always sanitize and validate user inputs, especially when dealing with dynamic content rendering. This case serves as a reminder that security is a continuous process, requiring vigilance at every stage of development and data processing.” continues stealthcopter.

The flaw affects plugin versions prior 4.6.13

However, the plugin’s maintainer OnTheGoSystems downplayed the issue saying that the flaw is hard to exploit in real-world scenarios.

“This WPML release fixes a security vulnerability that could allow users with certain permissions to perform unauthorized actions. This issue is unlikely to occur in real-world scenarios.” OnTheGoSystems wrotes. “It requires users to have editing permissions in WordPress, and the site must use a very specific setup,”

“We encourage WordPress users to verify that their sites are updated to the latest patched version of WPML as soon as possible considering the critical nature of this vulnerability.” reads the post published by Wordfence.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganin

(SecurityAffairs – hacking, Volt Typhoon)