Priya Patel
TLDR:
– A vulnerability in the WPML plugin for WordPress puts over a million sites at risk of remote code execution attacks.
– The flaw allows authenticated users to execute arbitrary code on the server.
– The vulnerability arises from a lack of input validation and sanitization in the plugin’s use of Twig.
Article:
A vulnerability in the WPML (WordPress Multilingual) plugin has put over a million WordPress sites at risk of remote code execution (RCE) attacks. Authenticated users with contributor-level access can execute arbitrary code, potentially leading to a complete site takeover. The flaw, identified as CVE-2024-6386, affects all versions of the plugin up to 4.6.12. The flaw was responsibly reported and a patch was released on August 20, 2024, urging users to update. The incident highlights the importance of security practices in the WordPress ecosystem.
The vulnerability in the WPML plugin is discovered to be from a lack of input validation and sanitization in the plugin’s use of the popular templating engine Twig. This allows attackers to inject and execute malicious code through server-side template injection. A proof-of-concept exploit using the [wpml_language_switcher] shortcode demonstrates how attackers can leverage the vulnerability to execute PHP functions like phpinfo(). Wordfence released a firewall rule to protect users and the WPML team released a patch to address the vulnerability.
As plugins in WordPress become more complex, vulnerabilities like this serve as a reminder of the risks associated with third-party integrations. Users are advised to stay vigilant and proactive in maintaining their site’s security. The critical CVSS score of 9.9 emphasizes the urgency of updating to mitigate the risk.
