Critical WPML Plugin Flaw Exposes WordPress Sites to Remote Code Execution
Aug 28, 2024
WordPress Security / Website Protection
A critical security flaw has been disclosed in the WPML WordPress multilingual plugin that could allow authenticated users to execute arbitrary code remotely under certain circumstances. The vulnerability, tracked as CVE-2024-6386 (CVSS score: 9.9), impacts all versions of the plugin before 4.6.13, which was released on August 20, 2024. Arising due to missing input validation and sanitization, the issue makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. WPML is a popular plugin used for building multilingual WordPress sites. It has over one million active installations. Security researcher stealthcopter, who discovered and reported CVE-2024-6386, said the problem lies in the plugin's handling of shortcodes that are used to insert post content such as audio, images, and videos. "Specifically, the plugin uses Twig templates for rendering content in shortcodes but fails to properly sanitize input, leadi