Analysis Summary

The WPML WordPress multilingual plugin contains a serious security vulnerability that, in some cases, might provide authorized users the ability to remotely execute arbitrary code.

This issue affects all versions of the plugin before 4.6.13, which was released on August 20, 2024. It is tagged as CVE-2024-6386 (CVSS score: 9.9). The problem allows authorized attackers with Contributor-level access and above to execute code on the server since input validation and sanitization are absent.

For creating multilingual WordPress websites, WPML is a popular plugin. The number of active installations is more than one million. The issue, according to security researchers, is with how the plugin handles shortcodes, which are used to add post content including audio, photos, and videos. In particular, the plugin allows server-side template injection (SSTI) by using Twig templates to render content in shortcodes while neglecting to properly sanitize input.

As the name suggests, SSTI happens when an attacker manages to insert a malicious payload into a web template through native template syntax, which is subsequently executed on the server. The vulnerability might subsequently be used as a weapon by an attacker to carry out arbitrary commands, so giving them control over the website.

This WPML update addresses a security flaw that would have let users with specific rights carry out unauthorized operations. It is improbable that this problem will arise in practical settings. Users must be able to edit content in WordPress, and the website needs to follow a certain particular configuration.

Impact

• Code Execution
• Unauthorized Access

Indicators of Compromise

CVE

• CVE-2024-6386

Affected Vendors

Remediation

• Upgrade to the latest version of Plugin, available from the WordPress Plugin Directory.
• Enhance the security of your WordPress site by implementing two-factor authentication.
• Keep your WordPress core and all installed plugins up to date.
• Conduct regular security audits of your WordPress site.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets
• Maintain daily backups of all computer networks and servers.
• Keep all software, operating systems, and applications updated with the latest security patches.
• Continuously monitor network and system logs for unusual or suspicious activities.
• Review and secure website code to prevent open redirect vulnerabilities.
• Educate all site administrators about security best practices and the potential risks associated with phishing emails, fake security advisories, and malicious plugins.