WPML WordPress Plugin Fixes Remote Code Execution Vulnerability
The popular WordPress Multilingual plugin, WPML, has recently addressed a critical vulnerability that could have potentially allowed attackers to execute code on websites using the plugin. The vulnerability, known as a Remote Code Execution (RCE) flaw, was discovered by security researcher Mat Rollings and reported through the Wordfence Bug Bounty program.
WPML is widely used, with over 1,000,000 installations on websites. This makes it a prime target for attackers looking to exploit vulnerabilities and gain unauthorized access to websites. The RCE vulnerability in WPML was classified as “Critical” and received a CVSS score of 9.9, indicating its severity.
The vulnerability, identified as CVE-2024-6386, affected all versions of WPML up to and including version 4.6.12. The flaw was related to Twig Server-Side Template Injection and was a result of missing input validation and sanitization in the plugin’s render function. This allowed authenticated attackers with Contributor-level access or above to execute arbitrary code on the server.
Fortunately, the vulnerability has been addressed in the latest version of WPML, version 4.6.13. Users are strongly advised to update their websites to this patched version to protect themselves from potential attacks. Failure to do so could leave websites vulnerable to exploitation and compromise.
Mat Rollings, also known as stealthcopter, discovered the vulnerability and reported it to the Wordfence Bug Bounty program. As a result, he was awarded a bounty of $1,639 for his contribution to improving the security of WordPress plugins. Rollings described the vulnerability as a classic example of the dangers of improper input sanitization in templating engines.
Wordfence, the organization behind the Bug Bounty program, has seen an increase in the number of critical vulnerabilities reported in popular WordPress plugins in recent days. In the past eight days alone, researchers have earned a total of $21,037 in bounties for reporting critical vulnerabilities in plugins such as GiveWP, LiteSpeed Cache, and WPML. This highlights the importance of regular security assessments and updates for WordPress websites, especially those utilizing popular plugins.
In conclusion, WPML has taken swift action to address a critical vulnerability that could have exposed millions of WordPress websites to remote code execution attacks. Users are urged to update their WPML installations to version 4.6.13 to ensure their websites are protected. The incident also serves as a reminder of the ongoing security risks associated with popular WordPress plugins, emphasizing the need for regular security assessments and prompt updates to mitigate potential threats.