WordPress

Remote Code Execution Vulnerability Patched in WPML WordPress Plugin – WP Tavern

The favored WordPress Multilingual plugin, WPML, which is put in on over 1,000,000 web sites, has patched a Remote Code Execution (RCE) vulnerability (CVE-2024-6386) that researchers have labeled as “Crucial,” with a CVSS rating of 9.9. Customers are strongly suggested to replace their web sites to the patched model, WPML 4.6.13.

Safety researcher Mat Rollings (stealthcopter) found and reported the vulnerability by means of the Wordfence Bug Bounty program, incomes a bounty of $1,639.

Wordfence’s István Márton defined: “The WPML plugin for WordPress is susceptible to Distant Code Execution in all variations as much as, and together with, 4.6.12 by way of Twig Server-Aspect Template Injection. This is because of lacking enter validation and sanitization on the render perform. This makes it attainable for authenticated attackers, with Contributor-level entry and above, to execute code on the server.”

Matt Rollings dubbed this vulnerability “a traditional instance of the hazards of improper enter sanitization in templating engines” and has shared extra technical particulars about this vulnerability on his blog

Previously eight days, researchers have earned $21,037 as bounties for reporting three crucial plugin vulnerabilities: GiveWP, LiteSpeed Cache, and WPML.

Leave a Reply

Your email address will not be published. Required fields are marked *