WordPress Plugin Vulnerable to Remote Code Execution

CVE-2024-6386

Summary

A critical vulnerability (CVE-2024-6386) in the popular WPML WordPress Multilingual plugin has been discovered, allowing for remote code execution. This vulnerability affects all versions up to 4.6.12, making it possible for attackers with Contributor-level access or above to execute code on the server. The security firm Wordfence has facilitated the disclosure of the flaw and researchers have earned bounties for reporting critical plugin vulnerabilities. The issue was resolved in WPML version 4.6.13, and users are strongly encouraged to update to that version as soon as possible. Publicly available proof-of-concept code targeting the vulnerability has raised concerns about the potential exploitation of this issue, as it could lead to complete site compromise through various techniques.

News Articles

Cyber Security News

CVE-2024-6386

RCE Vulnerability in 1,000,000 WordPress Sites Lets Attackers Gain Control Over Backend

A critical Remote Code Execution (RCE) vulnerability (CVE-2024-6386), affecting over 1,000,000 active installations of the WordPress Multilingual Plugin (WPML) Twig template engine.

1 month ago

The Hacker News

CVE-2024-6386

Critical WPML Plugin Flaw Exposes WordPress Sites to Remote Code Execution

Urgent security update for WPML WordPress plugin: Critical flaw allows remote code execution.

4 months ago

WP Tavern

CVE-2024-6386

Remote Code Execution Vulnerability Patched in WPML WordPress Plugin

The popular WordPress Multilingual plugin, WPML, which is installed on over 1,000,000 websites, has patched a Remote Code Execution (RCE) vulnerability (CVE-2024-6386) that researchers have classif…

5 months ago

More News...

References