RCE by Twig SSTI
Twig server-side template injection (SSTI) is a sort of security vulnerability that happens when person enter is wrongly dealt with and instantly inserted right into a Twig template, a well-liked PHP templating engine. Distant code execution might be achieved when an internet software permits the person (an attacker) to inject malicious payloads into the Twig template with out correct sanitization or escaping.
“The vulnerability lies within the dealing with of shortcodes throughout the WPML plugin,” stealthcopter added. “Particularly, the plugin makes use of Twig templates for rendering content material in shortcodes however fails to correctly sanitize enter, resulting in server-side template injection (SSTI).”
Shortcodes in WordPress allow customers to simply add dynamic content material, resembling galleries, kinds, buttons, or customized content material blocks, to posts, pages, or widgets while not having to put in writing complicated code.
