WPML: Over 1M WordPress Sites Affected by Remote Code Execution Vulnerability

Recently, news broke that one of the most popular plugins for WordPress that lets you make your website multilingual – WPML – may allow an attacker to conduct remote code execution attacks.

Preface

WPML – or WordPress Multilingual – is a prevalent plugin allowing websites based on WordPress to implement multilingual capabilities. According to Security Week, the same plugin might be susceptible to Remote Code Execution (RCE) attacks.

According to sources like Security Week and others, recently, researchers have found a bug titled CVE-2024-6386 with a Common Vulnerability Scoring System (CVSS) score of 9.9 in the WordPress Multilingual plugin.

What’s the Issue?

The issue appears to be related to missing or improper input validation done by the WordPress Multilanguage (WPML) plugin, thus paving the way for a possible Remote Code Execution attack. According to the CVE, versions of the WPML plugin older than 4.6.12 (4.6.12 is included in the list) are susceptible to the Remote Code Execution attack due to missing input validation and/or sanitization when a certain rendering function is being used.

In other words, the plugin may be susceptible to Twig Server-Side Template Injection if your user is at least a contributor. According to WordFence, this issue was apparently reported by a researcher called stealthcopter, who, as of June 5, 2024, has submitted at least 100 vulnerabilities.

According to the researcher himself, he has received a $1,639 bounty from WordFence for reporting this vulnerability, which, if we look at the number of active installations of WPML, may even seem dismal to some.

Anyway, according to StealthCopter, the plugin is susceptible to server-side template injection (SSTI) due to the way it handles shortcode content. The researcher publicized a payload and discussed how it works on his blog, but also observed that for those wanting to exploit such a remote code execution vulnerability, there may be complications that must be overcome such as the fact that WordPress encodes single or double quotes by default.

In any case, Remote Code Execution can still be executed by providing WordPress with Linux-specific commands.

The Issue Has Been Fixed

According to stealthcopter, the remote code execution (RCE) issue in the WPML plugin has been patched as of version 4.6.13 which was released just over a week ago.

The bottom line is that if any of you still find yourself using WPML, make sure to run the version 4.6.13 or higher to avoid the remote code execution vulnerability found in the plugin. Update as soon as possible, and until next time.

Securing Yourself with Data Breach Search Engines

Unfortunately, these days vulnerabilities like the aforementioned remote code execution vulnerability in WPML aren’t few and far between – such vulnerabilities are found pretty often and that’s because people continue to write code that can be considered unsafe. There are various ways to protect yourself from nefarious parties in this regard including the usage of web application firewalls (WAFs), intrusion detection systems or IDS, and so on, but one of the most important ways to take over accounts remain and that’s called credential stuffing.

Credential stuffing is essentially attackers using stolen data or credentials to mount attacks on websites by reusing those credentials, and you can protect yourself from attacks like credential stuffing by using data breach search engines like BreachDirectory.com:

Data breach search engines such as the one provided by BreachDirectory will not only let you search whether your email address, username, IP address, or website domain was exposed in any data breach, but also let you register for data breach notifications and a notification letter informing you what’s happening in the cyberspace.

Make use of data breach search engines like BreachDirectory to protect yourself as well because attackers are not only using Remote Code Execution attacks like mentioned in this article – many of them will also use credential stuffing to gain the upper hand.

Summary

A researcher going by the name of stealthcopter has found and responsibly disclosed a server-side template injection (SSTI) issue in one of the most popular WordPress multilingual plugins called WPML. Given that this plugin had over a million installations when the remote code execution vulnerability was disclosed, it’d have been certainly worrying if that vulnerability would have remained unpatched. If you find yourself using WPML, please update your software as quickly as possible, and until next time.

Frequently Asked Questions

What is Remote Code Execution?

Remote Code Execution, or RCE, makes an attacker able to remotely run malicious code on a computer network.

Is Remote Code Execution Dangerous?

Remote Code Execution is one of the most dangerous types of vulnerabilities targeting applications because it enables an attacker to execute malicious code within an application.

What Versions of WPML Are Affected By This Vulnerability?

According to the security researcher, all versions of WPML up and including 4.6.12 are affected by RCE. Make sure to upgrade to WPML 4.6.13 or newer if you’re going to continue to use the plugin.