A critical vulnerability has been reported in WPML — a multilingual WordPress plugin with more than a million installations globally — that allows remote code execution on affected WordPress sites.
The vulnerability tracked as CVE-2024-6386 received a CVSS rating of 9.9 out of 10 and affects all versions of the plugin before 4.6.13.
“The WPML Multilingual CMS Plugin for WordPress is susceptible to an Authenticated (Contributor+) Remote Code Execution (RCE) vulnerability through a Twig server-side template injection,” security researcher “stealthcopter,” who received a $1,639 for discovering the bug, said in a blog post.
RCE through Twig SSTI
Twig server-side template injection (SSTI) is a type of security vulnerability that occurs when user input is improperly handled and directly inserted into a Twig template, a popular PHP templating engine. Remote code execution can be achieved when a web application allows the user (an attacker) to inject malicious payloads into the Twig template without proper sanitization or escaping.
“The vulnerability lies in the handling of shortcodes within the WPML plugin,” stealthcopter added. “Specifically, the plugin uses Twig templates for rendering content in shortcodes but fails to properly sanitize input, leading to server-side template injection (SSTI).”
Shortcodes in WordPress enable users to easily add dynamic content, such as galleries, forms, buttons, or custom content blocks, to posts, pages, or widgets without needing to write complex code.
The vulnerability is now patched
The plugin maintainers, OnTheGoSystems, fixed the issue in an August 20 update.
“This WPML release fixes a security vulnerability that could allow users with certain permissions to perform unauthorized actions,” OnTheGoSystems said in a blog post. “This issue is unlikely to occur in real-world scenarios.”
It requires users to have editing permissions in WordPress, and the site must use a very specific setup, the blog post added. Plugin users are advised to still apply the patch to defend against potential threats.
“WPML is the most popular WordPress multilingual plugin to create and manage translations and build a multilingual website,” read a WordFence blog post. Wordfence is a WordPress security solutions provider, with a WordPress bug bounty program, the one stealthcopter used to report the vulnerability. “As with all remote code execution vulnerabilities, this can lead to complete site compromise through the use of webshells and other techniques,” the post added.