The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
The vulnerability results from lack of validation and sanitization of input data in the render function handling Twig templates. An attacker with Contributor level access or higher can inject malicious code into a Twig template, which is then executed on the server side. The lack of proper input filtering allows malicious payload to be passed directly to the template engine, bypassing security mechanisms.
An authenticated attacker can gain full control over the server through remote code execution, leading to complete compromise of confidentiality, integrity and availability of the system — including the possibility of server takeover, data breach and installation of backdoors.
Update the WPML plugin to a version higher than 4.6.12. Patches are available from the vendor according to references on the wpml.org website. Additionally, it is recommended to restrict user permissions to Contributor level where not necessary.
WPML plugin for WordPress in all versions up to and including 4.6.12
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HWpml
APPWpml< 4.6.13
Related vulnerabilities
The WPML plugin before 3.1.9 for WordPress does not properly handle multiple actions in a request, which allow...
SQL injection vulnerability in the WPML plugin before 3.1.9 for WordPress allows remote attackers to execute a...
The WPML plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpml_language_swit...
Broken Access Control vulnerability in WPML Multilingual CMS premium plugin <= 4.5.10 on WordPress allows user...
Broken Access Control vulnerability in WPML Multilingual CMS premium plugin <= 4.5.10 on WordPress allows user...