A essential safety flaw has been disclosed within the WPML WordPress multilingual plugin that might permit authenticated customers to execute arbitrary code remotely beneath sure instances.
The vulnerability, tracked as CVE-2024-6386 (CVSS rating: 9.9), affects all variations of the plugin sooner than 4.6.13, which used to be launched on August 20, 2024.
Bobbing up because of lacking enter validation and sanitization, the problem makes it imaginable for authenticated attackers, with Contributor-level get admission to and above, to execute code at the server.
WPML is a well-liked plugin used for development multilingual WordPress websites. It has over a million energetic installations.
Safety researcher stealthcopter, who found out and reported CVE-2024-6386, stated the issue lies within the plugin’s dealing with of shortcodes which are used to insert publish content material equivalent to audio, photographs, and movies.
“In particular, the plugin makes use of Twig templates for rendering content material in shortcodes however fails to correctly sanitize enter, resulting in server-side template injection (SSTI),” the researcher stated.
SSTI, because the title implies, happens when an attacker is in a position to use local template syntax to inject a malicious payload right into a internet template, which is then performed at the server. An attacker may then weaponize the lack to execute arbitrary instructions, successfully permitting them to take regulate of the website.
“This WPML unlock fixes a safety vulnerability that might permit customers with sure permissions to accomplish unauthorized movements,” the plugin maintainers, OnTheGoSystems, stated. “This factor is not likely to happen in real-world situations. It calls for customers to have modifying permissions in WordPress, and the website will have to use an overly explicit setup.”
Customers of the plugin are advisable to use the most recent patches to mitigate towards attainable threats.