A critical security vulnerability has been discovered in the multilingual WordPress plugin WPML, which could allow authenticated users to remotely execute arbitrary code under certain circumstances.
The vulnerability, designated CVE-2024-6386 (CVSS score: 9.9), affects all versions of the plugin prior to 4.6.13, which was released on August 20, 2024.
The issue is caused by a lack of validation and sanitising of inputs and allows authenticated attackers with contributor and higher access to execute code on the server.
WPML is a popular plugin for creating multilingual WordPress sites. It has over a million active installations.
Security researcher Stealthcopter, who discovered and reported CVE-2024-6386, said the issue lies in the plugin’s handling of shortcodes used to insert post content such as audio, images and videos.
“Specifically, the plugin uses Twig templates to render content in shortcodes, but does not properly sanitize the inputs, resulting in server-side template injection (SSTI),” the researcher said.
SSTI, as the name suggests, occurs when an attacker can use native template syntax to inject a malicious payload into a web template that is then executed on the server. An attacker could then weaponize this weakness to execute arbitrary commands, effectively taking control of the site.
“This WPML release fixes a security vulnerability that could allow users with certain permissions to perform unauthorized actions,” said the plugin maintainers at OnTheGoSystems. “This issue is unlikely to occur in real-world scenarios. It requires users to have editing permissions in WordPress and the site to use a very specific setup.”
Users of the plugin are advised to apply the latest patches to mitigate potential threats.