Name of the Vulnerable Software and Affected Versions:

WPML versions up to, and including, 4.6.12

Description:

The WPML plugin for WordPress is vulnerable to Remote Code Execution via the Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function, making it possible for authenticated attackers with Contributor-level access and above to execute code on the server. Over a million WordPress sites are at risk. The vulnerability is related to the lack of input validation, allowing attackers to execute code remotely.

Recommendations:

Update to version 4.6.13 or later to patch the critical flaw.

As a temporary workaround, consider disabling the render function or restricting access to the vulnerable plugin until a patch is applied.