A vulnerability in the WPML (WordPress Multilingual) plugin has put over a million WordPress sites at risk of remote code execution (RCE) attacks.

This flaw allows authenticated users with contributor-level access or higher to execute arbitrary code on the server, potentially leading to a complete site takeover. The vulnerability, identified as CVE-2024-6386, affects all versions of the WPML plugin up to and including 4.6.12.

The flaw was discovered by a security researcher known as a “stealth copter ” and responsibly reported through the Wordfence Bug Bounty Program. The researcher was awarded $1,639 for this critical finding.

Technical Analysis

The issue arises from a lack of input validation and sanitization in the plugin’s use of Twig, a popular templating engine.

Are You From SOC/DFIR Teams? – Try Advanced Malware and Phishing Analysis With ANY.RUN -14-day free trial

Specifically, the vulnerability is found in the render() function of the WPML_LS_Public_API class, which processes user-supplied Twig templates without proper sanitization.

This oversight allows for server-side template injection, enabling attackers to inject and execute malicious code.

protected function render( $args, $twig_template = null ) {
    $defaults_slot_args = $this->get_default_slot_args( $args );
    $slot_args = array_merge( $defaults_slot_args, $args );
    $slot = $this->get_slot_factory()->get_slot( $slot_args );
    $slot->set( ‘show’, 1 );
    $slot->set( ‘template_string’, $twig_template );
    if ( $slot->is_post_translations() ) {
        $output = $this->render->post_translations_label( $slot );
    } else {
        $output = $this->render->render( $slot );
    }
    return $output;
}

This function fails to sanitize the Twig template, allowing attackers to craft templates that execute arbitrary PHP functions.

Proof-of-Concept Exploit

A proof-of-concept exploit demonstrates how this vulnerability can be leveraged. Using the [wpml_language_switcher] shortcode, attackers can inject Twig code that executes PHP functions, such as phpinfo(), revealing sensitive server information.

[wpml_language_switcher]
{% set call_user_func = c~a~l~l~_~u~s~e~r~_~f~u~n~c %}
{% set phpinfo = p~h~p~i~n~f~o %}
{{ {1: phpinfo}|filter(call_user_func) }}
[/wpml_language_switcher]

This example uses Twig’s filter function to call phpinfo(), demonstrating the potential for more harmful exploits.

Wordfence swiftly responded by releasing a firewall rule on June 27, 2024, to protect its premium users. A month later, free users received protection.

Despite initial communication challenges, the WPML development team released a patch on August 20, 2024, with version 4.6.13 addressing the vulnerability.

Users are strongly urged to update to the latest version of WPML to mitigate the risk. The vulnerability’s critical CVSS score of 9.9 underscores the urgency of this update. This incident highlights the importance of robust security practices and timely updates in the WordPress ecosystem.

As plugins become increasingly complex, vulnerabilities like this remind users of the potential risks associated with third-party integrations. Users are encouraged to remain vigilant and proactive in maintaining their site’s security.

Protect Your Business with Cynet Managed All-in-One Cybersecurity Platform – Try Free Trial