WordPress Plugin Vulnerable to Remote Code Execution
Key Information
- Vendor
- WPML
- Vendor
- CVE Published:
- 21 August 2024
Badges
Summary
A critical vulnerability (CVE-2024-6386) in the popular WPML WordPress Multilingual plugin has been discovered, allowing for remote code execution. This vulnerability affects all versions up to 4.6.12, making it possible for attackers with Contributor-level access or above to execute code on the server. The security firm Wordfence has facilitated the disclosure of the flaw and researchers have earned bounties for reporting critical plugin vulnerabilities. The issue was resolved in WPML version 4.6.13, and users are strongly encouraged to update to that version as soon as possible. Publicly available proof-of-concept code targeting the vulnerability has raised concerns about the potential exploitation of this issue, as it could lead to complete site compromise through various techniques.
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Critical WPML Plugin Flaw Exposes WordPress Sites to Remote Code Execution
Urgent security update for WPML WordPress plugin: Critical flaw allows remote code execution.
3 weeks ago
Remote Code Execution Vulnerability Patched in WPML WordPress Plugin
The popular WordPress Multilingual plugin, WPML, which is installed on over 1,000,000 websites, has patched a Remote Code Execution (RCE) vulnerability (CVE-2024-6386) that researchers have classif…
3 weeks ago
Code Execution Vulnerability Found in WPML Plugin Installed on 1M WordPress Sites
A critical vulnerability in the WPML WordPress plugin could allow a remote attacker to execute arbitrary code on the server.
3 weeks ago
CVSS V3.1
Timeline
- 👾
Exploit exists.
First article discovered by SecurityWeek
Vulnerability published.