WPML, a popular WordPress plugin with over a million active installations, recently faced a serious security issue.
Security experts have found a serious vulnerability that could allow authorized users to inject malicious code into websites.
This vulnerability, referred to as a Remote Code Execution (RCE) flaw, enabled attackers to potentially gain control of affected websites. Fortunately, a new update for the WPML plugin has been released to fix this issue.
The vulnerability was identified by researchers at Wordfence, a leading security company that specializes in WordPress security.
Based on their findings, it appears that there is an issue with the PHP template engine called Twig, which is utilized by WPML.
Users who have been authenticated and have access to the post editor have the ability to exploit this vulnerability by injecting malicious code templates on the server side.
It is possible for someone with limited access to a WordPress site, like a contributor, to run harmful scripts that could put the entire site and its visitors at risk.
The vulnerability was initially reported on June 19, 2024, by a security researcher named via the Wordfence Bug Bounty Program.
The researcher received a generous reward of $1,639.00 for this discovery. Wordfence promptly verified the report and immediately started notifying the WPML development team.
Initially, there were some challenges in establishing communication with the plugin's developers.
Although there were some initial communication challenges, Wordfence and WPML managed to work together effectively.
The WPML team recently released version 4.6.13 of the plugin, which includes important security updates.
WordPress admins should update to the latest version immediately, as all versions of WPML up to and including 4.6.12 are affected.
The severity of this vulnerability is highlighted by its CVSS score of 9.9 out of 10, which is considered critical.
Therefore Wordfence strongly recommends that all WPML users update their plugins to the latest version, 4.6.13 or newer, to protect against this vulnerability.
Administrators should check their sites to ensure they are not running an outdated version of the plugin.
Not updating could put websites at risk of being attacked, potentially leading to complete site compromise.