August 27, 2024 at 11:18AM
A critical vulnerability in the WPML multilingual plugin for WordPress, tracked as CVE-2024-6386 with a CVSS score of 9.9, could expose over one million websites to remote code execution (RCE). The issue, involving a server-side template injection (SSTI), was resolved in WPML version 4.6.13, released on August 20. Users are strongly advised to update.
Based on the meeting notes, the key takeaways are:
– A critical vulnerability (CVE-2024-6386) in the WPML multilingual plugin for WordPress, with a CVSS score of 9.9, could lead to remote code execution (RCE).
– The vulnerability could be exploited by an attacker with contributor-level permissions due to server-side template injection (SSTI) in the Twig templates used by WPML.
– Proof-of-concept (PoC) code demonstrating the RCE exploit has been published by a researcher.
– The vulnerability was addressed in WPML version 4.6.13, released on August 20, and users are strongly advised to update to this version promptly.
– The severity of the vulnerability is disputed by the plugin’s maintainer, OnTheGoSystems, citing specific conditions required for its exploitation.
– WPML, installed on over one million websites, is advertised as the most popular translation plugin for WordPress, offering support for over 65 languages and multi-currency features.
Let me know if you need any further assistance!