Critical RCE Vulnerability Found in WPML Plugin
/ 1 min read
🕵️♂️ Critical RCE Vulnerability Discovered in WordPress Multilingual Plugin (WPML). A severe Remote Code Execution (RCE) vulnerability was identified in the WPML plugin, affecting over 1 million installations. Discovered by security researcher stealthcopter, the flaw stems from a Server-Side Template Injection (SSTI) in the Twig template engine, with a CVSS score of 9.9. All versions up to 4.6.12 are vulnerable, allowing attackers to execute arbitrary code and potentially compromise sensitive data. Despite the critical nature of the vulnerability, stealthcopter received a bounty of $1,639, and it took 62 days for a patch to be released. This incident highlights the risks associated with inadequate input validation in web development.
