RCE Vulnerability in WordPress ‘WPML’ Plugin Threatens Over 1 Million Websites

A critical Remote Code Execution (RCE) vulnerability (CVE-2024-6386) has recently been discovered in the WordPress Multilingual Plugin (WPML). This vulnerability poses a threat to more than 1,000,000 active WordPress websites worldwide, allowing attackers to gain control over the sites. The vulnerability emerged due to Server-Side Template Injection (SSTI) in the Twig template engine.

The risk level of this vulnerability is extremely high, scoring 9.9 on the CVSS scale, which indicates a critical severity level.

WPML is a premium plugin that enables multilingual functionality on WordPress websites. It allows websites to operate in multiple languages and is widely used globally.

The identified vulnerability affects all versions of the WPML plugin up to version 4.6.12. After the initial report, it took 62 days to patch the vulnerability, leaving websites exposed for an extended period.

As discovered by Stealthcopter, attackers exploited the vulnerability by executing the dump() function in the Twig template engine. This allowed them to read data from the server and execute arbitrary commands.

Below is an example of the exploit code:

[wpml_language_switcher]  
{% set s = dump(current_language_code)|slice(0,1) %}  
{% set y = dump(css_classes)|slice(4,1) %}  
{% set system = s~y~s~t~e~m %}  
{{ [id]|map(system)|join }}  
[/wpml_language_switcher]

Using this code, attackers could craft a system command and execute terminal commands like id and pwd. For example, user account information or system files could be accessed.

The consequences of such an attack include:

  1. Site Takeover: Attackers can gain full control over the website.
  2. Data Theft: Sensitive data, such as user information and admin passwords, can be stolen.
  3. Malware Distribution: The website can be used to distribute malware to visitors’ computers.

All WordPress site owners using the WPML plugin must immediately update to the latest version. A secure and patched version of WPML has now been released to address this issue.

Additionally, website administrators should take the following security measures:

  • Regularly update plugins and remove outdated versions.
  • Install additional security plugins and perform regular website scans.
  • Verify server security and enable necessary firewalls.

This incident underscores the importance of ensuring not only the functionality of plugins but also their security.

Skip to content