Categories: NewsSecurity

WPML: Over 1M WordPress Sites Affected by Remote Code Execution Vulnerability

Recently, news broke that one of the most popular plugins for WordPress that lets you make your website multilingual – WPML – may allow an attacker to conduct remote code execution attacks.

Preface

WPML – or WordPress Multilingual – is a prevalent plugin allowing websites based on WordPress to implement multilingual capabilities. According to Security Week, the same plugin might be susceptible to Remote Code Execution (RCE) attacks.

According to sources like Security Week and others, recently, researchers have found a bug titled CVE-2024-6386 with a Common Vulnerability Scoring System (CVSS) score of 9.9 in the WordPress Multilingual plugin.

What’s the Issue?

The issue appears to be related to missing or improper input validation done by the WordPress Multilanguage (WPML) plugin, thus paving the way for a possible Remote Code Execution attack. According to the CVE, versions of the WPML plugin older than 4.6.12 (4.6.12 is included in the list) are susceptible to the Remote Code Execution attack due to missing input validation and/or sanitization when a certain rendering function is being used.

In other words, the plugin may be susceptible to Twig Server-Side Template Injection if your user is at least a contributor. According to WordFence, this issue was apparently reported by a researcher called stealthcopter, who, as of June 5, 2024, has submitted at least 100 vulnerabilities.

According to the researcher himself, he has received a $1,639 bounty from WordFence for reporting this vulnerability, which, if we look at the number of active installations of WPML, may even seem dismal to some.

Anyway, according to StealthCopter, the plugin is susceptible to server-side template injection (SSTI) due to the way it handles shortcode content. The researcher publicized a payload and discussed how it works on his blog, but also observed that for those wanting to exploit such a remote code execution vulnerability, there may be complications that must be overcome such as the fact that WordPress encodes single or double quotes by default.

In any case, Remote Code Execution can still be executed by providing WordPress with Linux-specific commands.

The Issue Has Been Fixed

According to stealthcopter, the remote code execution (RCE) issue in the WPML plugin has been patched as of version 4.6.13 which was released just over a week ago.

The bottom line is that if any of you still find yourself using WPML, make sure to run the version 4.6.13 or higher to avoid the remote code execution vulnerability found in the plugin. Update as soon as possible, and until next time.

Securing Yourself with Data Breach Search Engines

Unfortunately, these days vulnerabilities like the aforementioned remote code execution vulnerability in WPML aren’t few and far between – such vulnerabilities are found pretty often and that’s because people continue to write code that can be considered unsafe. There are various ways to protect yourself from nefarious parties in this regard including the usage of web application firewalls (WAFs), intrusion detection systems or IDS, and so on, but one of the most important ways to take over accounts remain and that’s called credential stuffing.

Credential stuffing is essentially attackers using stolen data or credentials to mount attacks on websites by reusing those credentials, and you can protect yourself from attacks like credential stuffing by using data breach search engines like BreachDirectory.com:

BreachDirectory

Data breach search engines such as the one provided by BreachDirectory will not only let you search whether your email address, username, IP address, or website domain was exposed in any data breach, but also let you register for data breach notifications and a notification letter informing you what’s happening in the cyberspace.

Make use of data breach search engines like BreachDirectory to protect yourself as well because attackers are not only using Remote Code Execution attacks like mentioned in this article – many of them will also use credential stuffing to gain the upper hand.

Summary

A researcher going by the name of stealthcopter has found and responsibly disclosed a server-side template injection (SSTI) issue in one of the most popular WordPress multilingual plugins called WPML. Given that this plugin had over a million installations when the remote code execution vulnerability was disclosed, it’d have been certainly worrying if that vulnerability would have remained unpatched. If you find yourself using WPML, please update your software as quickly as possible, and until next time.

Frequently Asked Questions

What is Remote Code Execution?

Remote Code Execution, or RCE, makes an attacker able to remotely run malicious code on a computer network.

Is Remote Code Execution Dangerous?

Remote Code Execution is one of the most dangerous types of vulnerabilities targeting applications because it enables an attacker to execute malicious code within an application.

What Versions of WPML Are Affected By This Vulnerability?

According to the security researcher, all versions of WPML up and including 4.6.12 are affected by RCE. Make sure to upgrade to WPML 4.6.13 or newer if you’re going to continue to use the plugin.

Nirium

Recent Posts

COALESCE SQL Query Explained

The COALESCE SQL statement allows us to perform operations on NULL values. Here’s what it…

14 hours ago

The CVE Foundation is Now a Thing: A Nonprofit Funding Board Established

Vulnerabilities like the CVE-2024-3393 and others are shared and fixed thanks to the Common Vulnerabilities…

17 hours ago

The End of the Password Game: Samsung Saves Your Passwords in Plain Text

Samsung’s clipboard is no good at the password game – copy a password there and…

18 hours ago

FBI Warns iPhone Android Users of Smishing

FBI warns iPhone Android users: beware of smishing! But what is smishing and how does…

1 day ago

What is a JOI Database?

What is a JOI database and what is it used for? Find out here!

1 day ago

Fraudsters are Impersonating the IC3 and the FBI

Recently, www.ic3.gov and the FBI have warned individuals about an ongoing fraud scheme targeting individuals…

1 day ago