WordPress Plugin Flaw Exposes 1,000,000 WordPress Sites to Remote Code Attacks
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
WordPress Plugin Flaw Exposes 1,000,000 WordPress Sites to Remote Code Attacks
Author: DhivyaA vulnerability in the WPML (WordPress Multilingual) plugin has put over a million WordPress sites at risk of remote code execution (RCE) attacks.
This flaw allows authenticated users with contributor-level access or higher to execute arbitrary code on the server, potentially leading to a complete site takeover. The vulnerability, identified as CVE-2024-6386, affects all versions of the WPML plugin up to and including 4.6.12.
The flaw was discovered by a security researcher known as a “stealth copter ” and responsibly reported through the Wordfence Bug Bounty Program. The researcher was awarded $1,639 for this critical finding.
Technical Analysis
The issue arises from a lack of input validation and sanitization in the plugin’s use of Twig, a popular templating engine.
Specifically, the vulnerability is found in therender()function of theWPML_LS_Public_APIclass, which processes user-supplied Twig templates without proper sanitization.
This oversight allows for server-side template injection, enabling attackers to inject and execute malicious code.
protected function render( $args, $twig_template = null ) { $defaults_slot_args = $this->get_default_slot_args( $args ); $slot_args = array_merge( $defaults_slot_args, $args ); $slot = $this->get_slot_factory()->get_slot( $slot_args ); $slot->set( 'show', 1 ); $slot->set( 'template_string', $twig_template ); if ( $slot->is_post_translations() ) { $output = $this->render->post_translations_label( $slot ); } else { $output = $this->render->render( $slot ); } return $output; }
This function fails to sanitize the Twig template, allowing attackers to craft templates that execute arbitrary PHP functions.
Proof-of-Concept Exploit
A proof-of-concept exploit demonstrates how this vulnerability can be leveraged. Using the[wpml_language_switcher]shortcode, attackers can inject Twig code that executes PHP functions, such asphpinfo(), revealing sensitive server information.
[wpml_language_switcher] {% set call_user_func = c~a~l~l~_~u~s~e~r~_~f~u~n~c %} {% set phpinfo = p~h~p~i~n~f~o %} {{ {1: phpinfo}|filter(call_user_func) }} [/wpml_language_switcher]
This example uses Twig’s filter function to call phpinfo(), demonstrating the potential for more harmful exploits.
Wordfence swiftly responded by releasing a firewall rule on June 27, 2024, to protect its premium users. A month later, free users received protection.
Despite initial communication challenges, the WPML development team released a patch on August 20, 2024, with version 4.6.13 addressing the vulnerability.
Users are strongly urged to update to the latest version of WPML to mitigate the risk. The vulnerability’s critical CVSS score of 9.9 underscores the urgency of this update. This incident highlights the importance of robust security practices and timely updates in the WordPress ecosystem.
As plugins become increasingly complex, vulnerabilities like this remind users of the potential risks associated with third-party integrations. Users are encouraged to remain vigilant and proactive in maintaining their site’s security.
#Cyber_Security_News #Vulnerability #Wordpress #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте: