Critical WPML Plugin Vulnerability Affects Over 1 Million WordPress Sites

Security researchers discovered a critical vulnerability in the WPML WordPress plugin, currently installed on more than a million websites, posing a significant security risk.

The flaw, tracked as CVE-2024-6386 and carrying a CVSS score of 9.9, is a critical remote code execution (RCE) vulnerability affecting all versions through 4.6.12 of the WPML plugin.

Flaw Stemmed from Failure to Validate and Sanitize Input

The plugin WPML, short for WordPress Multilingual, lets website owners build and manage multilingual websites. The newly identified vulnerability stems from the plugin’s failure to validate and sanitize input on its render function.

According to stealthcopter, the cybersecurity researcher who discovered and reported the flaw, the “vulnerability lies in the handling of shortcodes within the WPML plugin. Specifically, the plugin uses Twig templates for rendering content in shortcodes but fails to properly sanitize input, leading to server-side template injection (SSTI).”

Stealthcopter reported the flaw responsibly through the Wordfence Bug Bounty Program and earned a bounty of $1,639.00 for the discovery.

Further Implications and the Importance of Input Validation

Stealthcopter further commented on the implications of such vulnerabilities, highlighting the importance of rigorous input validation.

“This vulnerability is a classic example of the dangers of improper input sanitization in templating engines,” the researcher said. “Developers should always sanitize and validate user inputs, especially when dealing with dynamic content rendering.”

On the other hand, OnTheGoSystems, the maintainer of the affected plugin, believes that threat actors would need special circumstances to exploit the flaw.

After releasing a fix for the vulnerability, the company said the issue is “unlikely to occur in real-world scenarios,” adding that perpetrators would need to have “editing permissions in WordPress” and use a site with a “very specific setup.”

Website Administrators Urged to Update Affected Plugin Versions

As this situation unfolds, WordPress site administrators are strongly recommended to assess their sites and make sure all security measures are up-to-date to protect against this and other vulnerabilities.