CVE-2024-6386 – The WPML WordPress plugin has a critical Server... (How to Fix)

Q: What is the severity of CVE-2024-6386?

CVE-2024-6386 has a CVSS score of 9.9 (CRITICAL). The WPML WordPress plugin has a critical Server-Side Template Injection vulnerability that allows authenticated attackers with Contributor-level access or higher to execute arbitrary code on the server. This affects all WPML versions up to 4.6.12. Attackers can potentially take full control of affected WordPress sites.

📋 TL;DR

The WPML WordPress plugin has a critical Server-Side Template Injection vulnerability that allows authenticated attackers with Contributor-level access or higher to execute arbitrary code on the server. This affects all WPML versions up to 4.6.12. Attackers can potentially take full control of affected WordPress sites.

💻 Affected Systems

Products:

WPML (WordPress Multilingual Plugin)

Versions: All versions up to and including 4.6.12

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with WPML plugin enabled. Contributor-level access or higher needed for exploitation.

📦 What is this software?

Wpml by Wpml

View all CVEs affecting Wpml →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing attackers to install backdoors, steal sensitive data, deface websites, or use the server for further attacks.

🟠

Likely Case

Website defacement, data theft, malware installation, or cryptocurrency mining due to the relatively low privilege requirement for exploitation.

🟢

If Mitigated

Limited impact if proper access controls and network segmentation are in place, though the vulnerability still presents significant risk.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but only at Contributor level, which is relatively easy to obtain. Public proof-of-concept exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.6.13 and later

Vendor Advisory: https://wpml.org/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WPML plugin. 4. Click 'Update Now' if update available. 5. If no update shows, download version 4.6.13+ from wpml.org and manually update.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable WPML plugin until patched

Restrict User Registration

all

Disable new user registration to prevent attackers from obtaining Contributor accounts

🧯 If You Can't Patch

Implement strict access controls and review all user accounts with Contributor+ privileges
Deploy web application firewall rules to detect and block SSTI patterns

🔍 How to Verify

Check if Vulnerable:

Check WPML plugin version in WordPress admin panel under Plugins > Installed Plugins

Check Version:

wp plugin list --name=wpml --field=version (if WP-CLI installed)

Verify Fix Applied:

Verify WPML version is 4.6.13 or higher after update

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to wpml endpoints
Twig template rendering errors
Unexpected process execution from web server

Network Indicators:

Outbound connections from web server to suspicious IPs
Unusual payloads in HTTP requests containing Twig syntax

SIEM Query:

web.url:*wpml* AND (web.method:POST OR web.status:500) AND (web.uri:*twig* OR web.uri:*render*)

📊 Metadata

CVE ID: CVE-2024-6386

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-1336

Published: August 21, 2024

Last Updated: September 27, 2024

🔗 References

https://sec.stealthcopter.com/wpml-rce-via-twig-ssti/ Exploit,Third Party Advisory
https://wpml.org/ Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/f7fc91cc-e529-4362-8269-bf7ee0766e1e?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6386, you might also want to check these: