More than a million websites on the verge of being hacked due to a bug in WPML

Friend

Professional
Messages
2,675
Reaction score
1,002
Points
113
Users of the popular plugin risk losing control over their resources.

A critical vulnerability has been discovered in the popular WPML plugin for WordPress that puts more than one million websites at risk of being compromised. The Remote Code Execution (RCE) issue has been designated CVE-2024-6386 and has a high severity rating (CVSS 9.9).

Wordfence cyber experts explain that the vulnerability can be exploited by attackers who have rights at the contributor level. The main problem is insufficient input validation when using Twig templates for rendering shortcodes. This results in server-side template injection (SSTI), which opens the way for arbitrary code execution.

An independent researcher @stealhcopter, who first discovered the vulnerability, has already published sample code confirming that RCE can exploit this issue. Reportedly, the vulnerability could lead to a complete compromise of the site using web shells and other methods.

CVE-2024-6386 was fixed in WPML 4.6.13, which was released on August 20, 2024. Users are urged to update the plugin to this version as soon as possible, given that the code to exploit the vulnerability is already in the public domain.

However, the plugin's developer, OnTheGoSystems, is trying to minimize the significance of the problem. Its representatives claim that the vulnerability requires certain conditions for exploitation, including the user's editing rights, as well as a specific configuration of the site. They also emphasize that the real threat of exploitation of the vulnerability is extremely small.

Billed as the most popular WordPress website translation plugin, WPML supports over 65 languages and offers a multi-currency feature. According to the developer, the plugin is installed on more than a million websites.

Source
 
Top