Critical WPML Plugin Flaw Exposes WordPress Sites to Remote Code Execution
(thehackernews.com)
from AmbiguousProps@lemmy.today to cybersecurity@sh.itjust.works on 28 Aug 2024 10:21
https://lemmy.today/post/15397177
from AmbiguousProps@lemmy.today to cybersecurity@sh.itjust.works on 28 Aug 2024 10:21
https://lemmy.today/post/15397177
A critical security flaw has been disclosed in the WPML WordPress multilingual plugin that could allow authenticated users to execute arbitrary code remotely under certain circumstances.
The vulnerability, tracked as CVE-2024-6386 (CVSS score: 9.9), impacts all versions of the plugin before 4.6.13, which was released on August 20, 2024.
Arising due to missing input validation and sanitization, the issue makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
WPML is a popular plugin used for building multilingual WordPress sites. It has over one million active installations.
threaded - newest
“authenticated attackers, with Contributor-level access and above” bad, but 9.9 seems a tad OTT unless there are other possible methods.