A critical security flaw has been disclosed in the WPML WordPress multilingual plugin that could allow authenticated users to execute arbitrary code remotely under certain circumstances.
The vulnerability, tracked as CVE-2024-6386 (CVSS score: 9.9), impacts all versions of the plugin before 4.6.13, which was released on August 20, 2024.
Arising due to missing input validation and sanitization, the issue makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
WPML is a popular plugin used for building multilingual WordPress sites. It has over one million active installations.
Security researcher stealthcopter, who discovered and reported CVE-2024-6386, said the problem lies in the plugin’s handling of shortcodes that are used to insert post content such as audio, images, and videos.
“Specifically, the plugin uses Twig templates for rendering content in shortcodes but fails to properly sanitize input, leading to server-side template injection (SSTI),” the researcher said.
SSTI, as the name implies, occurs when an attacker is able to use native template syntax to inject a malicious payload into a web template, which is then executed on the server. An attacker could then weaponize the shortcoming to execute arbitrary commands, effectively allowing them to take control of the site.
“This WPML release fixes a security vulnerability that could allow users with certain permissions to perform unauthorized actions,” the plugin maintainers, OnTheGoSystems, said. “This issue is unlikely to occur in real-world scenarios. It requires users to have editing permissions in WordPress, and the site must use a very specific setup.”
Users of the plugin are recommended to apply the latest patches to mitigate against potential threats.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com