CVE-2024-6386: WPML Vulnerability Threatens Over 1 Million Websites

A critical vulnerability has been discovered in the popular WPML plugin for WordPress, endangering the security of over one million websites. This issue, associated with remote code execution (RCE), has been designated as CVE-2024-6386 and has received a high severity rating (CVSS 9.9).

Cybersecurity experts at Wordfence explain that the vulnerability can be exploited by attackers with contributor-level privileges. The core issue lies in the insufficient validation of input data when using Twig templates for rendering shortcodes. This results in server-side template injection (SSTI), which paves the way for arbitrary code execution.

Independent researcher @stealhcopter, who first identified the vulnerability, has already published proof-of-concept code demonstrating the potential for exploiting this flaw to achieve RCE. Reportedly, the vulnerability could lead to full site compromise through the use of web shells and other techniques.

CVE-2024-6386 was addressed in version 4.6.13 of the WPML plugin, released on August 20, 2024. Users are strongly advised to update to this version as soon as possible, given that the exploit code for the vulnerability is already publicly available.

However, the plugin’s developer, OnTheGoSystems, is attempting to downplay the significance of the issue. Their representatives claim that the vulnerability requires specific conditions for exploitation, including user editing rights and a particular site configuration. They also emphasize that the actual threat of exploitation is minimal.