WordPress admins should once again update their websites to receive plugin updates, particularly if they run the WPML plugin. Researchers found a critical vulnerability in the WPML plugin, allowing remote code execution attacks.
WPML WP Plugin Vulnerability Allowed Remote Code Execution
A security researcher with the alias “stealthcopter” discovered a critical vulnerability in the WPML WordPress plugin.
As explained in his blog post, the vulnerability could allow an authenticated remote adversary to execute malicious codes on the target website.
Specifically, the issue exists in the “handling of shortcodes within the plugin”. Due to improper input sanitization while rendering shortcodes via Twig templates, server-side template injection (SSTI) becomes possible. Hence, an adversary with authenticated access to the target site may inject malicious codes.
The researcher responsibly disclosed the vulnerability via the Wordfence bug bounty program. According to Wordfence advisory, the vulnerability, identified as CVE-2024-6386, received a critical severity rating with a CVSS score of 9.9. Describing the flaw, the advisory reads,
The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
The researchers presented a PoC for the vulnerability in his blog post. He also emphasized the need for developers to ensure proper sanitization and validation of user input, particularly during dynamic content rendering.
Patch Deployed
Following the researcher’s bug report, Wordfence coordinated with the plugin developers to fix the vulnerability. Consequently, the flaw that affected all plugin versions until v.4.6.12 eventually received a patch with WPML 4.6.13 and WooCommerce Multilingual 5.3.7.
Besides ensuring prompt vulnerability fix from the developers, Wordfence also rewarded the researcher with a $1,639 bounty for the bug report.
WPML plugin is a dedicated WooCommerce plugin offering multilingual and multicurrency support for websites. It currently boasts over 100,000 active installations, representing the sheer number of websites potentially at risk due to plugin vulnerabilities. Therefore, it is crucial for all WordPress admins running this plugin to update their sites with the latest plugin release.
Let us know your thoughts in the comments.