"Code Execution Vulnerability Found in WPML Plugin Installed on 1M WordPress Sites"
According to security researchers at Defiant, a critical vulnerability in the WPML multilingual plugin for WordPress could expose over one million websites to remote code execution (RCE). Tracked as CVE-2024-6386 (CVSS score of 9.9), the bug could be exploited by an attacker with contributor-level permissions. The researchers noted that WPML relies on Twig templates for shortcode content rendering but does not properly sanitize input, which results in a server-side template injection (SSTI). The researchers said that as with all remote code execution vulnerabilities, this can lead to complete site compromise through the use of webshells and other techniques. CVE-2024-6386 was resolved in WPML version 4.6.13, released on August 20. Users are advised to update to WPML version 4.6.13 as soon as possible, given that PoC code targeting CVE-2024-6386 is publicly available.