WPML, a popular plugin for creating multilingual WordPress sites with more than a million active installations, was found to be vulnerable to server-side template injection attacks. It’s the third plugin requiring an urgent update in the last two weeks alone.
A security researcher who goes by the alias ‘stealthcopter’ has discovered a way to remotely execute code on a server hosting a website using WPML. A potential attacker would only need to have basic access to the CMS, like a writer who has access to the post editor.
The flaw lies in how the plugin handles certain types of content without proper safety checks. For example, a contributor to the website using WPML can add a malicious shortcode, and the plugin fails to sanitize it.
The researcher demonstrated this by entering a test payload into the editor, which was executed when rendering the post preview. Additional workarounds are required to craft complex commands that could be passed to the server. Potential attackers could take over the website and view sensitive information from the server, such as passwords.
“The crafted payload uses the dump function to gather letters needed to construct commands without using quotes. Once we have basic command execution, we can further leverage it to gain more control over the server,” the researcher said in the report.
On June 19th, the issue was disclosed to WordFence, a popular security plugin for WordPress. Eight days later, the researcher was awarded a $1,639 bounty. The patch was released two months later, on August 20th, in version 4.6.13. All previous versions are affected.
“This vulnerability requires a bad actor to have editing privileges on a WordPress site. This means they need to have a Contributor or higher-level user role on the targeted site. That being said, the severity comes down to what types of users you have on your site. If you and your team are the sole admins/writers/editors on the site, there’s no one outside of you or your team that could exploit this vulnerability,” WPML Team said in a blog post.
“The patch was developed, tested, and released in close collaboration with Wordfence, and the issue has been fully resolved.”
WPML, offering robust features for translating and language switching, is used by many WordPress sites with multilingual capabilities. It’s a premium plugin charging between €39 and €199 per year.
This is at least the third critical vulnerability disclosed in less than two weeks that WordPress admins need to patch.
Last week, LiteSpeed Cache, another very popular plugin for speeding up many WordPress websites, was discovered to be vulnerable to eternal unauthenticated attackers, leaving five million websites in danger.
More than 100,000 sites are also vulnerable to a flaw in the GiveWP donation and fundraising plugin.
Security researcher Eddie Zhang at Project Black also shared 14 additional common vulnerabilities and exposures (CVEs) affecting WordPress plugins. Most affected plugins had a small user base, usually below 2,000 users.
Updated on September 2nd [06:55 a.m. GMT] with a statement from the WPML Team.
Your email address will not be published. Required fields are markedmarked