Researchers have uncovered a critical vulnerability in WPML multilingual CMS Plugin for WordPress that leads to a Remote Code Execution, which potentially allows the compromise of impacted websites.
The vulnerability tracked as CVSS-2024-6386 with a CVSS score of 9.8 that stems in the handling of shortcodes within the WPML plugin. Specifically, the plugin uses Twig templates for rendering content in shortcodes but fails to properly sanitize input, leading to server-side template injection.
This flaw can be exploited for remote code execution (RCE), as demonstrated by the proof-of-concept code published by the researcher Stealthcopter and reported this issue through the Wordfence Bug Bounty Program that earned a bounty of $1,639.00 for this discovery.
The flaw affects plugin versions prior 4.6.13. However, the plugin’s maintainer OnTheGoSystems downplayed the issue saying that the flaw is hard to exploit in real-world scenarios, since it requires users to have editing permissions in WordPress, and the site must use a very specific setup.
It is recommended that WordPress users verify that their sites are updated to the latest patched version of WPML as soon as possible considering the critical nature of this vulnerability.
