Which versions of the WPML plugin are affected by CVE-2024-6386?

All versions of the WPML plugin up to and including 4.6.12 are vulnerable to CVE-2024-6386. The vulnerability was patched in version 4.6.13, released on August 20, 2024.

How does the CVE-2024-6386 vulnerability impact WordPress sites?

The CVE-2024-6386 vulnerability allows attackers with contributor-level permissions to exploit a server-side template injection (SSTI) through unsanitized data in the WPML plugin. This can lead to remote code execution (RCE) and potentially allow attackers to take over the entire site.

What actions should WPML users take to protect their sites?

Users of the WPML plugin should immediately update to the latest version, 4.6.13, to mitigate the risk of exploitation. It is critical to take action due to the availability of proof-of-concept (PoC) code that demonstrates how the vulnerability can be exploited.

How has the developer of WPML responded to the vulnerability?

The developer of WPML, OnTheGoSystems, released a patch in version 4.6.13 on August 20, 2024, after discovering the vulnerability in late June 2024. Although they have downplayed the potential impact, citing specific conditions needed for exploitation, the availability of PoC code makes immediate updates necessary.

Advisory

Critical vulnerability reported in WordPress Multilingual WPML Plugin

Q: What is the critical vulnerability identified in the WPML plugin?

The critical vulnerability in the WPML (WordPress Multilingual) plugin is tracked as CVE-2024-6386, with a CVSS score of 9.9. It allows authenticated attackers to execute remote code, potentially leading to a complete site takeover. The vulnerability stems from inadequate sanitization in a shortcode function used for creating custom language switchers.

published: Aug. 27, 2024

Take action: If you are using WPML (WordPress Multilingual) plugin, time to patch ASAP. While the exploit scenario may not be immediate, it will happen - especially with an available proof of concept. Patch now, it's fairly easy.

Learn More

A critical vulnerability has been identified in the WPML (WordPress Multilingual) plugin, which impacts over one million WordPress installations. The vulnerability, tracked as CVE-2024-6386 (CVSS score 9.9), allows authenticated attackers to execute remote code, potentially leading to a complete site takeover.

The vulnerability stems from inadequate sanitization within the WPML plugin. Specifically, the issue is found in a shortcode function used to create custom language switchers. This function improperly processes user input, allowing server-side template injection (SSTI) through unsanitized data. As a result, attackers with contributor-level permissions can exploit this flaw to inject malicious code, leading to remote code execution (RCE).

All versions of the WPML plugin up to and including 4.6.12 are vulnerable. The vulnerability was discovered in late June 2024, but the plugin's developer, OnTheGoSystems, did not respond promptly, delaying the patch release until August 20, 2024, in version 4.6.13.

Users of the WPML plugin are strongly advised to update to the latest version, 4.6.13, as soon as possible to mitigate the risk of exploitation.

OnTheGoSystems has downplayed its potential impact, suggesting that the exploit requires specific conditions that may not be present in most real-world scenarios. Nevertheless, the availability of proof-of-concept (PoC) code makes immediate action critical.

Critical vulnerability reported in WordPress Multilingual WPML Plugin

Read More
CISA reports actively exploited Sitecore CMS Vulnerabilities
Critical remote code execution flaw in Sneeit Framework …
Critical RCE Vulnerability in Kali Forms Plugin Under …
LayerSlider WordPress Plugin patches a critical flaw
Critical vulnerabilities reported in HT Contact Form Widget