A vital security flaw has been disclosed within the WPML WordPress multilingual plugin that would enable authenticated customers to execute arbitrary code remotely beneath sure circumstances.
The vulnerability, tracked as CVE-2024-6386 (CVSS rating: 9.9), impacts all variations of the plugin earlier than 4.6.13, which was launched on August 20, 2024.
Arising as a consequence of lacking enter validation and sanitization, the problem makes it attainable for authenticated attackers, with Contributor-level entry and above, to execute code on the server.
WPML is a well-liked plugin used for constructing multilingual WordPress websites. It has over a million energetic installations.
Safety researcher stealthcopter, who found and reported CVE-2024-6386, stated the issue lies within the plugin’s dealing with of shortcodes which are used to insert submit content material resembling audio, photographs, and movies.
“Particularly, the plugin makes use of Twig templates for rendering content material in shortcodes however fails to correctly sanitize enter, resulting in server-side template injection (SSTI),” the researcher stated.
SSTI, because the identify implies, happens when an attacker is ready to use native template syntax to inject a malicious payload into an internet template, which is then executed on the server. An attacker may then weaponize the shortcoming to execute arbitrary instructions, successfully permitting them to take management of the location.
“This WPML launch fixes a security vulnerability that would enable customers with sure permissions to carry out unauthorized actions,” the plugin maintainers, OnTheGoSystems, stated. “This concern is unlikely to happen in real-world eventualities. It requires customers to have enhancing permissions in WordPress, and the location should use a really particular setup.”
Customers of the plugin are really helpful to use the most recent patches to mitigate in opposition to potential threats.
