CVE-2024-6386

Name of the Vulnerable Software and Affected Versions WPML versions up to, and including, 4.6.12

Description The WPML plugin for WordPress is vulnerable to Remote Code Execution via the Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function, making it possible for authenticated attackers with Contributor-level access and above to execute code on the server. Over a million WordPress sites are at risk. The vulnerability is related to the lack of input validation, allowing attackers to execute code remotely.

Recommendations Update to version 4.6.13 or later to patch the critical flaw. As a temporary workaround, consider disabling the render function or restricting access to the vulnerable plugin until a patch is applied.