An alarming security vulnerability has been identified within the WPML (WordPress Multilingual) plugin, which has the potential to allow authenticated users to perform remote code execution under specific conditions. This security flaw, designated as CVE-2024-6386, carries a critical CVSS score of 9.9 and affects all versions prior to 4.6.13, released on August 20, 2024. With over one million active installations, WPML is widely used for creating multilingual WordPress sites, positioning a significant number of websites at risk.
The vulnerability primarily stems from insufficiencies in input validation and sanitization measures, which enables attackers with Contributor-level access or higher to execute code on the server. According to security researcher stealthcopter, who discovered this issue, the root of the problem lies in WPML’s management of shortcodes utilized for embedding content like images and videos.
The security researcher highlighted that the plugin employs Twig templates for shortcode content rendering, yet fails to adequately sanitize the input, thereby paving the way for server-side template injection (SSTI). This vulnerability can be exploited when an attacker injects a malicious payload into a web template using native template syntax, allowing for the execution of arbitrary system commands and granting potential access to the site owner’s control.
The WPML maintainers, OnTheGoSystems, issued an official statement indicating that the recent plugin update addresses this critical vulnerability. They noted that exploitation is unlikely in practical scenarios, requiring users to possess editing permissions alongside a very particular setup. They further clarified that patching the plugin is essential to safeguard against potential security threats.
In an update, OnTheGoSystems provided a timeline of their actions, confirming the release of WPML 4.6.13 to rectify CVE-2024-6386 and WooCommerce Multilingual 5.3.7 for a related vulnerability uncovered by Patchstack. They emphasized that a successful intrusion necessitates that the attacker holds editing rights on the WordPress site, specifically a Contributor role or above. This means the risk can be mitigated significantly in environments with a limited number of trusted users.
For business owners, the incident underscores the necessity of maintaining robust cybersecurity practices and keeping software up-to-date to reduce the probability of similar vulnerabilities being exploited. As demonstrated, adversary tactics, such as privilege escalation, persistence, and their potential methods, are pertinent to understanding how these types of vulnerabilities can be used to compromise system integrity.
Further details were added after publication to elaborate on the response to the vulnerability and its ramifications.
