WPML Plugin Patches a Remote Code Execution Vulnerability

  • News
  • Written by - Nithin Sreeraj

Our Sponsors

Highest-rated managed WordPress hosting provider on G2

Top-rated email+SMS marketing platform for ecommerce brands

Next-Gen Managed WordPress Hosting

Appointment scheduling WordPress plugin for online bookings

Advertise Here

Table Of Contents

WPML, one of the most popular WordPress multilingual plugins, recently patched a critical vulnerability (CVE-2024-6386) that could lead to Remote Code Execution via a Twig Server-Side Template Injection. With a CVSS score of 9.9, this vulnerability poses a significant risk to the pluginโ€™s extensive user base, which includes over 1,000,000 active installations. The flaw affects all versions of WPML up to 4.6.12.

This vulnerability was uncovered by security researcher Mat Rollings, also known as stealthcopter, and was reported through the Wordfence Bug Bounty Program, earning a reward of $1,639.00.

Root Cause of the Vulnerability

This particular vulnerability allowed authenticated users (with Contributor-level access and above) with access to the post editor to execute code remotely and WPML was prone to this vulnerability because of how it used to handle the shortcodes and the lack of input validation and sanitization.

According to Mat Rollings, โ€œ The vulnerability lies in the handling of shortcodes within the WPML plugin. Specifically, the plugin uses Twig templates for rendering content in shortcodes but fails to properly sanitize input, leading to server-side template injection (SSTI).โ€

Wordfence stated that โ€œThe plugin provides a shortcode ([wpml_language_switcher]) that can be used to add a custom language switcher with a Twig template. The shortcode calls the callback() function in the WPML_LS_Shortcodes class, which then invokes the render() function in the WPML_LS_Public_API class. This function renders the Twig template supplied in the shortcode content but fails to sanitize it, making it possible to inject malicious code into a template that is executed on the server.โ€ They further explained, โ€œ As with all remote code execution vulnerabilities, this can lead to complete site compromise through the use of webshells and other techniques.โ€

The Patch

The WPML team patched this vulnerability with WPML 4.6.13 and noted, โ€œ This WPML release fixes a security vulnerability that could allow users with certain permissions to perform unauthorized actions. This issue is unlikely to occur in real-world scenarios. It requires users to have editing permissions in WordPress, and the site must use a very specific setup.โ€

Mat Rollings concluded by saying, โ€œ This vulnerability is a classic example of the dangers of improper input sanitization in templating engines. Developers should always sanitize and validate user inputs, especially when dealing with dynamic content rendering.โ€

The WP Week Newsletter

A weekly newsletter covering updates from the WordPress ecosystem that are relevant and helpful for WordPress agencies, developers, and enthusiasts

Leave your comment

Your email address will not be published. Required fields are marked *