CVE-2024-6386

CRITICAL

WPML < 4.6.13 - Authenticated Remote Code Execution via Twig Server-Side Template Injection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-6386. PoCs published by argendo, bananoname.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2024-6386, demonstrating a Server-Side Template Injection (SSTI) vulnerability in WPML that leads to Remote Code Execution (RCE). The exploit uses Selenium to automate the insertion of a malicious Twig template payload into a WordPress post, bypassing quote encoding restrictions.

Description

The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

Exploits (2)

nomisec WORKING POC 5 stars

by argendo · poc

https://github.com/argendo/CVE-2024-6386

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2024-6386, demonstrating a Server-Side Template Injection (SSTI) vulnerability in WPML that leads to Remote Code Execution (RCE). The exploit uses Selenium to automate the insertion of a malicious Twig template payload into a WordPress post, bypassing quote encoding restrictions.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WPML (WordPress Multilingual Plugin)

Auth required

Prerequisites: Valid WordPress credentials · WPML plugin installed · Selenium and ChromeDriver setup

MITRE ATT&CK

T1221 - Template Injection T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP

by bananoname · poc

https://github.com/bananoname/CVE-2024-6386-WPML-SSTI

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2024-6386, a Server-Side Template Injection (SSTI) vulnerability in WPML Multilingual CMS leading to Remote Code Execution (RCE). It includes root cause analysis, payload examples, bypass techniques, and mitigation strategies.

Classification

Writeup 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WPML Multilingual CMS ≤ 4.6.12

Auth required

Prerequisites: Authenticated access (Contributor+) · WPML plugin version ≤ 4.6.12

MITRE ATT&CK

T1221 - Template Injection T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory

https://sec.stealthcopter.com/wpml-rce-via-twig-ssti/

Product

https://wpml.org/

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/f7fc91cc-e529-4362-8269-bf7ee0766e1e?source=cve

Scores

CVSS v3 9.9

EPSS 0.2501

EPSS Percentile 97.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-1336 CWE-94

Status published

Products (2)

WPML/WPML < 4.6.12

wpml/wpml < 4.6.13

Published Aug 21, 2024

Tracked Since Feb 18, 2026