A critical security flaw has been disclosed in the WPML WordPress multilingual plugin that could allow authenticated users to execute arbitrary code remotely under certain circumstances.
The vulnerability, tracked as CVE-2024-6386 (CVSS score: 9.9), impacts all versions of the plugin before 4.6.13, which was released on August 20, 2024.
Arising due to missing input validation and sanitization, the issue makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
WPML is a popular plugin used for building multilingual WordPress sites. It has over one million active installations.
Security researcher stealthcopter, who discovered and reported CVE-2024-6386, said the problem lies in the plugin’s handling of shortcodes that are used to insert post content such as audio, images, and videos.
“Specifically, the plugin uses Twig templates for rendering content in shortcodes but fails to properly sanitize input, leading to server-side template injection (SSTI),” the researcher said.
SSTI, as the name implies, occurs when an attacker is able to use native template syntax to inject a malicious payload into a web template, which is then executed on the server. An attacker could then weaponize the shortcoming to execute arbitrary commands, effectively allowing them to take control of the site.
“This WPML release fixes a security vulnerability that could allow users with certain permissions to perform unauthorized actions,” the plugin maintainers, OnTheGoSystems, said. “This issue is unlikely to occur in real-world scenarios. It requires users to have editing permissions in WordPress, and the site must use a very specific setup.”
Users of the plugin are recommended to apply the latest patches to mitigate against potential threats.