Critical Alert: Over 1 Million WordPress Sites Exposed to RCE Vulnerability!
Recent reports have highlighted a critical Remote Code Execution (RCE) vulnerability, identified as CVE-2024-6386, affecting over 1,000,000 installations of the WordPress Multilingual Plugin (WPML). This vulnerability, which has a CVSS score of 9.9, stems from a Server-Side Template Injection (SSTI) flaw in the Twig template engine used by the plugin. Attackers could exploit this weakness to execute arbitrary code on affected websites, posing significant risks to both website owners and users.
Vulnerability Overview
- Affected Plugin: WPML (versions up to 4.6.12)
- Severity: Critical (CVSS score: 9.9)
- Exploitation Method: SSTI via Twig templates
- Impact: Allows authenticated users (with Contributor-level access or higher) to execute arbitrary code on the server.
The vulnerability was discovered by security researcher stealthcopter, who reported it through the Wordfence Bug Bounty program. Despite the critical nature of the flaw, it took 62 days for a patch to be released, during which time many websites remained vulnerable. The researcher received a bounty of $1,639 for their discovery, which has drawn criticism given the scale of the potential impact.
Technical Details
The vulnerability arises from improper input validation and sanitization in the plugin's rendering function, allowing attackers to inject malicious payloads into Twig templates. For example, attackers could test for vulnerabilities by sending simple mathematical expressions; if evaluated, this indicated that input was executed on the server.
Recommendations for WPML Users
Website owners using WPML are strongly advised to update to version 4.6.13 or later immediately to mitigate this vulnerability. Additionally, organizations should implement proactive security measures such as:
- Input Validation: Ensure all user inputs are sanitized and validated.
- Regular Security Audits: Conduct routine assessments of plugins and themes for vulnerabilities.
- Prompt Patch Deployment: Apply updates swiftly when vulnerabilities are disclosed.
This incident underscores the importance of robust security practices in plugin development and highlights how critical vulnerabilities can emerge from seemingly innocuous components like template engines.