A critical vulnerability was discovered in the WPML WordPress plugin, affecting over a million installations. The vulnerability allows an authenticated attacker to perform remote code execution, potentially leading to a total site takeover. It is listed as rated 9.9 out of 10 by the Common Vulnerabilities and Exposures (CVE) organization.
WPML Plugin Vulnerability
The plugin vulnerability is due to a lack of a security check called sanitization, a process for filtering user input data to protect against the upload of malicious files. Lack of sanitization in this input makes the plugin vulnerable to a Remote Code Execution.
The vulnerability exists within a function of a shortcode for creating a custom language switcher. The function renders the content from the shortcode into a plugin template but without sanitizing the data, making it vulnerable to code injection.
The vulnerability affects all versions of the WPML WordPress plugin up to and including 4.6.12.
Timeline Of Vulnerability
Wordfence discovered the vulnerability in late June and promptly notified the publishers of WPML which remained unresponsive for about a month and a half, confirming response on August 1, 2024.
Users of the paid version of Wordfence received protection eight days after discovery of the vulnerability, the free users of Wordfence received protection on July 27th.
Users of the WPML plugin who did not use either version of Wordfence did not receive protection from WPML until August 20th, when the publishers finally issued a patch in version 4.6.13.