A severe remote code execution (RCE) vulnerability (CVE-2024-6386) affects more than 1,000,000 active installations of the WordPress Multi-Language Plugin (WPML).
The flaw stems from a server-side template injection (SSTI) vulnerability in the Twig template engine, allowing attackers to execute arbitrary code on affected websites.
The vulnerability has a CVSS score of 9.9, making it rated as critical and will pose a serious risk to website owners and users until it is addressed.
WPML: A Popular Target
WPML is a premium plugin widely used to build multilingual websites, allowing users to seamlessly switch languages on the same website. The vulnerability affects all versions of WPML 4.6.12 and below, making millions of WordPress websites vulnerable to attacks.
stealthcopter, a security researcher with extensive application security experience, reported this issue. Despite the significance of this discovery, the vulnerability took 62 days to be fixed, and the researcher received a considerable bounty of $1,639.
Server-Side Template Injection (SSTI)
SSTI vulnerabilities occur when user input is incorrectly integrated into templates using rendering engines such as Twig. By injecting a malicious payload in the form of valid template syntax, an attacker can take control of the server, read sensitive data, or escalate the attack to achieve RCE.
In the case of WPML, the vulnerability lies in the plugin’s shortcode block, and attackers can test the SSTI vulnerability by sending simple payloads, such as math expressions, to check if they are evaluated.
if the output shows 28, as stealthcopter observed, this indicates that the input is being executed on the server, a clear sign of SSTI.
Escalating to Remote Code Execution
According to the WPSEC report, after confirming the vulnerability, stealthcopter upgraded his attack to achieve remote code execution. He exploited Twig’s dump() function, which displays detailed information about a variable, to extract characters from a data structure and concatenate them to create a string, such as “system’.
this technique allowed the stealthcopter to execute terminal commands such as “id” and “pwd”, which provided server information. The final proof-of-concept payload involved reading sensitive files such as the system’s password file.
Example payload:
[wpml_language_switcher] {% set s = dump(current_language_code)|slice(0,1) %} {% set y = dump(css_classes)|slice(4,1) %} {% set system = s~y~s~ t~e~m %} {{ [id]|map(system)|join }} [/wpml_language_switcher]
This shows that it is easy to exploit this vulnerability to gain full control over the backend of a WordPress website.
Without proper input sanitization and validation, this vulnerability could be a gateway for attackers to compromise over 1,000,000 WordPress websites. Attackers could exploit this vulnerability to install malware, access sensitive data, or cause reputational and financial damage to organizations using the affected websites.
Although WPML eventually released a fix, it took 62 days for the patch to be released after the vulnerability was reported. During this time, the site was still exposed to potential attacks.
Furthermore, given the severity of the issue and its far-reaching impact, the $1,639 bounty paid to Stealth Helicopter sparked controversy in the cybersecurity community.
This incident highlights the importance of:
- Proactive input validation: User input passed to templates should always be sanitized and validated to minimize risk.
- Regular security audits: Plugin developers must prioritize regular security assessments to identify vulnerabilities before they can be exploited.
- Deploy patches faster: A vulnerability of this magnitude requires immediate action to protect users and prevent exploitation.
Despite the plugin’s popularity and the key role it plays in multilingual website functionality, WPML’s mishandling of this vulnerability is a reminder of how dangerous insecure design can be when dealing with powerful tools like template engines.
The WPML vulnerability highlights the need for rigorous security measures in plugin development. While plugins offer a ton of functionality, they can also be a prime target for attackers if not properly secured.
thanks to security researchers like stealthcopter, these vulnerabilities were discovered and responsibly reported, preventing catastrophic consequences for millions of websites around the world.
WordPress website owners using WPML are strongly recommended to update to the latest version immediately to ensure the security of their websites.
