2 min Security

One million WordPress sites vulnerable due to leak in multilingualism plugin

One million WordPress sites vulnerable due to leak in multilingualism plugin

A critical vulnerability in WPML, a popular plugin that makes WordPress sites multilingual, allows attackers to take over websites remotely. The plugin has more than one million active installations. The leak had already been closed for users of the security plugin Wordfence. It took the plugin’s creator more than two months to issue a fix.

The vulnerability, designated CVE-2024-6386 and given a severity score of 9.9 out of 10, enabled server-side template injection due to missing input validation. This could be exploited for remote code execution.

The vulnerability was discovered by a security researcher who tipped off Wordfence through their Bug Bounty Program. Wordfence responded by releasing a firewall rule in late June to protect Wordfence Premium, Wordfence Care, and Wordfence Response users from potential exploits. On July 27, users of the free version of Wordfence also received this protection.

No swift action

Despite repeated attempts to reach the plug-in’s developer, OnTheGoSystems, a response was delayed until August 1. Only after full disclosure of the details was a patch released in version 4.6.13 on August 20.

WPML is a plugin that makes WordPress sites multilingual and is active on over one million websites. Because of the vulnerability, attackers with authenticated access to the post editor can take over the entire website. Having that access is a prerequisite for doing so.

Urgent update required

Wordfence stresses that administrators should urgently update to the latest version of the plugin to avoid risks. Because WPML is a paid plug-in, no public data is available on how many installations have been updated.

WordPress plugins are prime targets for malicious actors. Just recently, LiteSpeed Cache, a popular WordPress plugin for site optimization, was found to contain a vulnerability that allowed hackers to give themselves admin rights over the site and, in effect, take over its entire contents. This plugin would leave some five million WordPress sites vulnerable to such escalation-of-privileges attacks.

Read more: Vulnerability in popular WordPress plugin gives hackers complete control