WordPress Security : Identifying and Fixing WPML Multilingual CMS Plugin Vulnerability

The WPML Multilingual CMS plugin is a popular tool used by WordPress site owners to create multilingual websites. However, a critical security vulnerability has been identified in versions up to 4.6.12.

This vulnerability is known as an “Authenticated (Contributor+) Remote Code Execution via Twig Server-Side Template Injection,” (CVE-2024-6386). It can allow an attacker to take control of your website. 

In this blog, we’ll break down what this means, how this vulnerability works, and how you can protect your website.

The WPML (WordPress Multilingual) Multilingual CMS plugin is a widely-used WordPress plugin designed to help website owners create and manage multilingual websites.

It allows users to translate their WordPress site content into multiple languages, and make it accessible to a global audience. Also, it has over 1 million active installations.

Before moving to the actual Vulnerability, let’s understand some basics;

Remote Code Execution (RCE)

This is a type of security vulnerability that allows an attacker to run arbitrary code on a server or computer system from a remote location.

This is one of the most severe types of vulnerabilities because it can lead to complete control over the affected system.

RCE vulnerabilities typically occur due to flaws in software that allow user input to be improperly processed or executed by the system (Improper Input Sanitization).

Twig Server-Side Template Injection

Twig is a template engine for PHP that is commonly used to render HTML templates.

A server-side template injection is a type of vulnerability that occurs when user input is improperly handled and passed directly into a template, which is then rendered on the server.

An attacker can use this vulnerability and they can embed their malicious code inside template format. The server interprets this code as normal code and runs the malicious command instead of just displaying the template content.

If any user input is directly passed in twig templates without any sanitization, then it will execute that directly. For Example : 

{{ 7 * 7 }}  // This would calculate 7 * 7 and output 49.

The server processes this input and instead of simply displaying it as text, it interprets the code and outputs 49.

Authenticated (Contributor+)

This part means that the attacker needs to have an account on your website with at least contributor-level permissions.

A contributor can create content but needs approval to publish it. So a user must have at least a contributor account to publish content on the website.

Basically, this plugin provides a shortcode ([wpml_language_switcher]) that can be used to create a custom language switcher with a Twig Template.

Then this shortcode calls a function callback () inside a plugin’s class which again calls a function render () that is used to render the Twig template supplied in the shortcode.

But it fails to sanitize this input and this functionality will make it vulnerable to inject malicious code inside the Twig Template that is executed at the server end and displays the result at the client end.

Imagine you have a website with multiple users, some of them are contributors. Because of a flaw in the WPML Plugin up to version 4.6.12, a contributor could potentially exploit the template system to run their own code on your server.

Here’s a step-by-step explanation of how an Authenticated attacker (Contributor) exploit this vulnerability;

Step 1 : Access to the System: The attacker logs in as a contributor.

Step 2 : Exploiting the Template: Suppose the contributor/attacker creates a post on your website and adds the [wpml_language_switcher] shortcode to create a custom language switcher on that post, then inside this shortcode, he injects malicious code/commands to perform malicious actions on the server.

He injects his malicious code in this way so it is hard to detect and then he waits to publish his post, as a contributor can write the post but not publish any post.

Step 3 : Executing Malicious Code: When any editor or administrator publishes this post, the request goes to the server.

When the server processes this template, the malicious code is executed and the desired result will be displayed on the post. (It can be anything like getting any sensitive file data, deleting or modifying any file, creating backdoors, etc).

By following the above steps, any attacker can execute malicious commands on the server and get the desired result.

For more understanding, refer to the below visual representation of the actual exploitation of this vulnerability.

This vulnerability is particularly harmful because it combines several factors:

• The attacker needs only contributor-level access, which many websites grant to multiple users.
• Remote Code Execution is one of the most severe types of vulnerabilities, as it can lead to complete control over the website if an attacker installs a backdoor on the website. 
• An attacker can modify/delete/create any file on the server by using this vulnerability.
• An attacker can get any file content using this vulnerability.
• An attacker could exploit this vulnerability without the site owner noticing until significant damage has been done.

• Insufficient Input Validation: The vulnerability exists because the input that goes into the Twig templates is not properly sanitized. This allows the attacker to insert their own code. We can see the WPML Plugin’s Vulnerable Code snippet below;
  
  As we can see in the above Code snippet, the render function is not properly sanitizing user input and it directly passes that input to the other variables and generates the result. That is the main flaw in this plugin.
• Permission Mismanagement: Even though contributors have limited permissions, the flaw in the system allows them to escalate these privileges and execute code.

Fixing this vulnerability involves several steps:

1. Update WPML Plugin: The most straightforward way to fix this issue is by updating the WPML plugin to the latest version. The developers have released patches to address this vulnerability and fix this issue in the latest version. So Update your WPML plugin to version 4.6.13 or higher.
   
   For updating your plugin, first go to admin dashboard → plugins → WPML Multilingual CMS → Click on Update. (As shown in the below screenshot).
   
   
   
   Alternatively, if the update option is not showing in your WordPress plugin section, then go to the official website of this plugin (https://wpml.org/), click on the Download button, and download the latest version of the plugin.
   
2. Limit Contributor Permissions: Consider reviewing the permissions of your contributors. Restrict their access to critical areas of the site where possible.
   
3. Use a Web Application Firewall (WAF): A WAF can help detect and block malicious activities, including attempts to exploit this kind of vulnerability.
   
4. Regular Security Audits: Regularly audit your website’s security to identify and fix potential vulnerabilities before they can be exploited.