Cancel

Jyolsna

Remote Code Execution Vulnerability Patched in WPML WordPress Plugin

The popular WordPress Multilingual plugin, WPML, which is installed on over 1,000,000 websites, has patched a Remote Code Execution (RCE) vulnerability (CVE-2024-6386) that researchers have classified as “Critical,” with a CVSS score of 9.9. Users are strongly advised to update their websites to the patched version, WPML 4.6.13.

Security researcher Mat Rollings (stealthcopter) discovered and reported the vulnerability through the Wordfence Bug Bounty program, earning a bounty of $1,639.

Wordfence’s István Márton explained: “The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.”

Matt Rollings dubbed this vulnerability “a classic example of the dangers of improper input sanitization in templating engines” and has shared more technical details about this vulnerability on his blog

In the past eight days, researchers have earned $21,037 as bounties for reporting three critical plugin vulnerabilities: GiveWP, LiteSpeed Cache, and WPML.

Category: ,
Tags: ,

SHARE THIS:

LIKE THIS

1 Comment

1 Comments

  • Author
    Posts
    • Plugin Vulnerabilities
      August 28, 2024 at 3:57 PMView in Forum

      CVSS severity scores have long been noted by the security industry to not be a reliable measure of the severity of vulnerabilities, and this vulnerability is a good example of that.

      With this vulnerability, the attacker would have to have a level of access an untrusted individual rarely would have. So the risk posed by the vulnerability is rather low. The idea that a vulnerability unlikely to be exploited would have almost the highest severity doesn’t make sense.

      Or to put it another way, if the vulnerability was exploitable by someone not logged in, it would certainly be widely exploited, but the severity score could increase to 10 from 9.9.

      It would help if WordPress security providers stuck to more accurate severity measurements to avoid overstating the risks of vulnerabilities and unnecessarily scaring the WordPress community.

      Also, what is the source for the claimed install count of this plugin?

      Reply
  • Author
    Posts

View in Forum

  • The topic ‘Remote Code Execution Vulnerability Patched in WPML WordPress Plugin’ is closed to new replies.

You may also like

Newsletter

Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Get updates from WP Tavern

Subscribe now to receive email updates directly in your inbox.

Continue reading