CVE-2024-6386 (CVSS 9.9) in WPML Plugin Exposes Millions of WordPress Sites to RCE Attacks
A severe security flaw (CVE-2024-6386, CVSS 9.9) has been discovered in the widely-used WPML plugin for WordPress, potentially exposing over one million websites to the risk of complete takeover. The vulnerability allows authenticated users with access to the post editor to execute malicious code remotely on the server, leading to severe consequences such as data theft, website defacement, and the installation of backdoors for future attacks.
CVE-2024-6386 is a remote code execution vulnerability stemming from a Twig Server-Side Template Injection (SSTI) flaw in the WPML plugin, specifically affecting all versions up to, and including, 4.6.12. The root cause of the vulnerability lies in the plugin’s failure to properly validate and sanitize input when rendering Twig templates. This critical oversight makes it possible for authenticated attackers to inject malicious code into the template, which is then executed on the server.
The vulnerability is particularly concerning given WPML’s widespread use as the most popular WordPress multilingual plugin, enabling site administrators to manage translations and create multilingual content seamlessly. The flaw is associated with the plugin’s shortcode feature, [wpml_language_switcher], which is used to implement a custom language switcher on websites. The shortcode leverages the callback() function in the WPML_LS_Shortcodes class, which, in turn, calls the render() function in the WPML_LS_Public_API class. This render() function processes the Twig template provided in the shortcode content, but without the necessary input sanitization, allowing for potentially malicious code to be injected and executed.
By exploiting this flaw, attackers can gain full control over a compromised site, deploying webshells and other malicious tools to maintain persistence, exfiltrate data, or launch further attacks on connected systems. The proof-of-concept exploit for this vulnerability has already been published, heightening the urgency for website administrators to take immediate action.
The vulnerability was discovered by a security researcher operating under the pseudonym “stealthcopter,” who responsibly reported the issue through the Wordfence Bug Bounty Program. In recognition of this critical discovery, the researcher was awarded a bounty of $1,639.00.
In response to this vulnerability, the developers of WPML have released a patched version, 4.6.13, which addresses the flaw by implementing the necessary input validation and sanitization. Website administrators are strongly urged to update their WPML plugin to the latest version immediately to mitigate the risk of exploitation.