CRITICAL🇵🇱 Wersja polska

CVE-2024-6386

CVSS 9.9v3.1pub. 2024-08-21upd. 2026-04-08

The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

🤖 AI Analysis
How it works

The vulnerability results from lack of validation and sanitization of input data in the render function handling Twig templates. An attacker with Contributor level access or higher can inject malicious code into a Twig template, which is then executed on the server side. The lack of proper input filtering allows malicious payload to be passed directly to the template engine, bypassing security mechanisms.

Impact

An authenticated attacker can gain full control over the server through remote code execution, leading to complete compromise of confidentiality, integrity and availability of the system — including the possibility of server takeover, data breach and installation of backdoors.

Mitigation & patch

Update the WPML plugin to a version higher than 4.6.12. Patches are available from the vendor according to references on the wpml.org website. Additionally, it is recommended to restrict user permissions to Contributor level where not necessary.

Who is affected

WPML plugin for WordPress in all versions up to and including 4.6.12

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Wpml

    APP
    Wpml
    < 4.6.13
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2015-2792HIGH7.5ten sam produkt

The WPML plugin before 3.1.9 for WordPress does not properly handle multiple actions in a request, which allow...

CVE-2015-2314HIGH7.5ten sam produkt

SQL injection vulnerability in the WPML plugin before 3.1.9 for WordPress allows remote attackers to execute a...

CVE-2025-3488MEDIUM6.4ten sam produkt

The WPML plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpml_language_swit...

CVE-2022-38974MEDIUM4.3ten sam produkt

Broken Access Control vulnerability in WPML Multilingual CMS premium plugin <= 4.5.10 on WordPress allows user...

CVE-2022-38461MEDIUM5.4ten sam produkt

Broken Access Control vulnerability in WPML Multilingual CMS premium plugin <= 4.5.10 on WordPress allows user...