Critical WPML Plugin Flaw Exposes WordPress Sites to Remote Code Execution

Summary:
A critical security vulnerability tracked as CVE-2024-6386 has been disclosed in the WPML WordPress multilingual plugin. WPML is a popular plugin used for building multilingual WordPress sites. It has over one million active installations. This vulnerability could allow authenticated users with Contributor-level access or higher to execute arbitrary code remotely under certain circumstances. The issue arises due to missing input validation and sanitization in the plugin's handling of shortcodes that are used for audio, images, and videos. The vulnerability affects all versions of WPML before 4.6.13 and has been addressed in the latest patch. A server-side template injection occurs because an adversary has the ability to utilize native template syntax to inject malware.

Security Officer Comments:
The disclosure of CVE-2024-6386 in the WPML plugin highlights the ongoing importance of maintaining up-to-date software and implementing robust security measures. The vulnerability's severity, rated 9.9 on the CVSS scale, underscores the potential for significant harm if exploited. The ability for authenticated users to execute arbitrary code remotely could lead to a wide range of malicious activities, including data exfiltration, unauthorized access, and disruption of services. The PoC exploit is published here. This Proof-of-concept was confirmed by WordPress on June 27, 2024. The plugin vendor released a fully patched version of the plugin on August 20, 2024. It is encouraged that WordPress users update to the latest patched version of WPML due to the vulnerability’s critical nature and widespread implementation of WPML. Additionally, organizations should note that despite the specific circumstances and authentication required to exploit this vulnerability, adversaries could still potentially leverage it after gaining access through stolen credentials.

Suggested Corrections:

  • Update to the Latest WPML Version: Install WPML version 4.6.13 or later to apply the patch that addresses the vulnerability.
  • Scan for Compromises: Conduct a thorough security audit of your WordPress site to identify any signs of compromise that may have occurred due to the vulnerability.
  • Review Access Controls: Ensure that only authorized users have the necessary permissions to edit and manage content on your WordPress site.

Link(s):
https://thehackernews.com/2024/08/critical-wpml-plugin-flaw-exposes.html

https://sec.stealthcopter.com/wpml-rce-via-twig-ssti/

https://wpml.org/changelog/2024/08/wpml-4-6-13-and-woocommerce-multilingual-5-3-7-security-and-other-enhancements/