The popular WordPress Multilingual plugin, WPML, which is installed on over 1,000,000 websites, has patched a Remote Code Execution (RCE) vulnerability (CVE-2024-6386) that researchers have classified as “Critical,” with a CVSS score of 9.9. Users are strongly advised to update their websites to the patched version, WPML 4.6.13.
Security researcher Mat Rollings (stealthcopter) discovered and reported the vulnerability through the Wordfence Bug Bounty program, earning a bounty of $1,639.
Wordfence’s István Márton explained: “The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.”
Matt Rollings dubbed this vulnerability “a classic example of the dangers of improper input sanitization in templating engines” and has shared more technical details about this vulnerability on his blog.
In the past eight days, researchers have earned $21,037 as bounties for reporting three critical plugin vulnerabilities: GiveWP, LiteSpeed Cache, and WPML.
