WordPress Multilingual Plugin (WPML) CMS Server-Side Template Injection Vulnerability (CVE-2024-6386)

A critical vulnerability has been discovered in a popular WordPress plugin called WPML, tracked as CVE-2024-6368, with a CVSS score of 9.9. Successful exploitation of the vulnerability may allow an authenticated attacker to execute arbitrary code on the vulnerable server.

The vulnerability was first disclosed to WordPress in June 2024 and was fully patched in August.

WordPress has not mentioned anything related to the active exploitation of the vulnerability.

WordPress Multilingual Plugin, is a plugin that helps users build and manage multilingual WordPress sites. It can translate a site into over 60 languages, including pages, posts, taxonomies, custom fields, and theme texts. As per Wordfence, the plugin has more than one million active installations.

A quick search revealed more than 500,000 targets on Fofa at the time of writing.

Image Source: Fofa

Vulnerability Details

CVE-2024-6386 is a remote code execution vulnerability exploited via Twig server-side template injection. The vulnerability originates from missing input validation and sanitization on the render() function. An attacker with Contributor-level access may exploit this vulnerability to execute code on the server.

Technical Details

The plugin provides a shortcode ([wpml_language_switcher]) that is responsible for adding a custom language switcher with a Twig template. The shortcode calls the callback() function in the WPML_LS_Shortcodes class, which then invokes the render() function in the WPML_LS_Public_API class.

This function renders the Twig template supplied in the shortcode content. The function fails to sanitize the template, allowing an attacker to inject malicious code into a template executed on the server.

Affected Versions

The vulnerability affects all versions of WPML up to and including version 4.6.12. 

Mitigation

Customers must upgrade to WPML version 4.6.13 to patch the vulnerability.

For more information, please refer to the WordPress Security Advisory.

Qualys Detection

Qualys customers can scan their devices with QIDs 152148 and 731728 to detect vulnerable assets and web applications.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://www.wordfence.com/blog/2024/08/1000000-wordpress-sites-protected-against-unique-remote-code-execution-vulnerability-in-wpml-wordpress-plugin/

Leave a Reply

Your email address will not be published. Required fields are marked *