More than one million WordPress sites could be compromised in attacks exploiting a critical remote code execution vulnerability in the WPML Multilingual CMS plugin, which eases the creation and operation of multilingual websites, reports Security Affairs.
The flaw, tracked as CVE-2024-6386, stems from improper shortcode management and lacking input validation and sanitization within the WPML plugin, revealed an analysis from cybersecurity researcher stealthcopter, who identified and reported the issue.
"This vulnerability is a classic example of the dangers of improper input sanitization in templating engines. Developers should always sanitize and validate user inputs, especially when dealing with dynamic content rendering. This case serves as a reminder that security is a continuous process, requiring vigilance at every stage of development and data processing," said stealthcopter.
Despite its potential to cause RCE, the bug has been downplayed by WPML maintainer OnTheGoSystems.
"It requires users to have editing permissions in WordPress, and the site must use a very specific setup," OnTheGoSystems wrote.
