A vital safety flaw has been disclosed within the WPML WordPress multilingual plugin that might enable authenticated customers to execute arbitrary code remotely underneath sure circumstances.
The vulnerability, tracked as CVE-2024-6386 (CVSS rating: 9.9), impacts all variations of the plugin earlier than 4.6.13, which was launched on August 20, 2024.
Arising resulting from lacking enter validation and sanitization, the problem makes it doable for authenticated attackers, with Contributor-level entry and above, to execute code on the server.
WPML is a well-liked plugin used for constructing multilingual WordPress websites. It has over a million energetic installations.
Safety researcher stealthcopter, who found and reported CVE-2024-6386, stated the issue lies within the plugin’s dealing with of shortcodes which can be used to insert put up content material equivalent to audio, photographs, and movies.
“Specifically, the plugin uses Twig templates for rendering content in shortcodes but fails to properly sanitize input, leading to server-side template injection (SSTI),” the researcher stated.
SSTI, because the identify implies, happens when an attacker is ready to use native template syntax to inject a malicious payload into an online template, which is then executed on the server. An attacker might then weaponize the shortcoming to execute arbitrary instructions, successfully permitting them to take management of the location.
“This WPML release fixes a security vulnerability that could allow users with certain permissions to perform unauthorized actions,” the plugin maintainers, OnTheGoSystems, stated. “This issue is unlikely to occur in real-world scenarios. It requires users to have editing permissions in WordPress, and the site must use a very specific setup.”
Customers of the plugin are beneficial to use the newest patches to mitigate towards potential threats.