Security researchers discovered a critical vulnerability in the WPML WordPress plugin, currently installed on more than a million websites, posing a significant security risk.
The flaw, tracked as CVE-2024-6386 and carrying a CVSS score of 9.9, is a critical remote code execution (RCE) vulnerability affecting all versions through 4.6.12 of the WPML plugin.
The plugin WPML, short for WordPress Multilingual, lets website owners build and manage multilingual websites. The newly identified vulnerability stems from the plugin’s failure to validate and sanitize input on its render
function.
According to stealthcopter, the cybersecurity researcher who discovered and reported the flaw, the “vulnerability lies in the handling of shortcodes within the WPML plugin. Specifically, the plugin uses Twig templates for rendering content in shortcodes but fails to properly sanitize input, leading to server-side template injection (SSTI).”
Stealthcopter reported the flaw responsibly through the Wordfence Bug Bounty Program and earned a bounty of $1,639.00 for the discovery.
Stealthcopter further commented on the implications of such vulnerabilities, highlighting the importance of rigorous input validation.
“This vulnerability is a classic example of the dangers of improper input sanitization in templating engines,” the researcher said. “Developers should always sanitize and validate user inputs, especially when dealing with dynamic content rendering.”
On the other hand, OnTheGoSystems, the maintainer of the affected plugin, believes that threat actors would need special circumstances to exploit the flaw.
After releasing a fix for the vulnerability, the company said the issue is “unlikely to occur in real-world scenarios,” adding that perpetrators would need to have “editing permissions in WordPress” and use a site with a “very specific setup.”
As this situation unfolds, WordPress site administrators are strongly recommended to assess their sites and make sure all security measures are up-to-date to protect against this and other vulnerabilities.
tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsDecember 19, 2024
November 14, 2024