A critical Remote Code Execution (RCE) vulnerability (CVE-2024-6386), affecting over 1,000,000 active installations of the WordPress Multilingual Plugin (WPML).
This flaw, stemming from a Server-Side Template Injection (SSTI) vulnerability in the Twig template engine, allowed attackers to execute arbitrary code on the affected websites.
Rated as critical with a CVSS score of 9.9, the vulnerability posed a severe risk to website owners and users alike before it was addressed.
WPML: A Popular Target
WPML is a premium plugin widely used for building multilingual websites, enabling users to seamlessly switch between languages on the same site. The vulnerability impacted all WPML versions up to 4.6.12, making millions of WordPress websites susceptible to attack.
Security researcher stealthcopter, armed with extensive experience in application security, reported the issue. Despite the magnitude of this discovery, it took 62 days for the vulnerability to be patched, and the researcher received a modest bounty payment of $1,639.
Server-Side Template Injection (SSTI)
SSTI vulnerabilities occur when user input is improperly integrated into templates using a rendering engine such as Twig. By injecting malicious payloads in the form of valid template syntax, attackers can gain control over a server, read sensitive data, or escalate their attack to achieve RCE.
In the case of WPML, the vulnerability resided in the plugin’s shortcode blocks, Attackers could test for SSTI vulnerabilities by sending simple payloads, such as mathematical expressions, to check if they were evaluated.
If the output displayed 28, as stealthcopter observed, it indicated that the input was being executed on the server a clear sign of SSTI.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
Escalating to Remote Code Execution
According to the WPSEC report, with the vulnerability confirmed, stealthcopter escalated the attack to achieve Remote Code Execution. Using Twig’s dump() function, which reveals detailed information about variables, he was able to extract characters from data structures and concatenate them to create strings such as 'system'.
This technique allowed stealthcopter to execute terminal commands like "id" and "pwd", which provided server information. The final proof-of-concept payload involved reading sensitive files such as the system’s password file.
Example Payload:
[wpml_language_switcher]
{% set s = dump(current_language_code)|slice(0,1) %}
{% set y = dump(css_classes)|slice(4,1) %}
{% set system = s~y~s~t~e~m %}
{{ [id]|map(system)|join }}
[/wpml_language_switcher]This demonstrated how easily the vulnerability could be exploited to gain complete control over the backend of a WordPress website.
Without proper input sanitization and validation, this vulnerability could have become a gateway for attackers to compromise over 1,000,000 WordPress websites. Adversaries could exploit this flaw to install malware, access sensitive data, or cause reputational and financial damage to organizations using affected sites.
Although WPML eventually issued a fix, the patch took 62 days to materialize after the vulnerability was reported. During this time, websites remained exposed to potential exploitation.
Moreover, the $1,639 bounty paid to stealthcopter sparked controversy in the cybersecurity community, given the severity of the issue and its far-reaching impact.
This incident highlights the importance of:
- Proactive Input Validation: User input passed into templates should always be sanitized and validated to minimize risk.
- Regular Security Audits: Plugin developers must prioritize routine security assessments to identify vulnerabilities before they can be exploited.
- Faster Patch Deployment: Vulnerabilities of this scale require immediate action to protect users and prevent exploitation.
Despite the plugin’s popularity and critical role in multilingual website functionality, WPML’s mishandling of this vulnerability serves as a reminder of how dangerous insecure design can be when dealing with powerful tools like template engines.
The WPML vulnerability underscores the need for diligent security practices in plugin development. While plugins offer immense functionality, they can also become prime targets for attackers when improperly secured.
Thanks to security researchers like stealthcopter, such vulnerabilities are identified and responsibly reported, preventing catastrophic consequences for millions of websites around the world.
WordPress site owners using WPML are strongly advised to update to the latest version immediately to ensure their websites remain secure.
2024 MITRE ATT&CK Evaluation Results Released for SMEs & MSPs -> Download Free Guide