Critical WPML Plugin Flaw Exposes WordPress Sites to Remote Code Execution
28-August-24
A critical vulnerability in the WPML WordPress multilingual plugin, tracked as CVE-2024-6386 with a CVSS score of 9.9, allows authenticated users with Contributor-level access and above to execute arbitrary code remotely. The flaw, found in all versions before 4.6.13, arises from improper input validation and sanitization in the plugin’s handling of shortcodes, leading to server-side template injection (SSTI). This could enable attackers to take control of affected WordPress sites by executing malicious commands on the server.
