CVE-2024-6386

CRITICAL

WPML <4.6.12 - RCE

Title source: llm

Description

The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

Exploits (2)

nomisec WORKING POC 5 stars

by argendo · poc

https://github.com/argendo/CVE-2024-6386

View Code ZIP pw:eip

nomisec WRITEUP

by bananoname · poc

https://github.com/bananoname/CVE-2024-6386-WPML-SSTI

View Code ZIP pw:eip

References (3)

[Exploit, Third Party Advisory] https://sec.stealthcopter.com/wpml-rce-via-twig-ssti/

[Product] https://wpml.org/

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/f7fc91cc-e529-4362-8269-bf7ee0766e1e?source=cve

Scores

CVSS v3 9.9

EPSS 0.7391

EPSS Percentile 98.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-1336 CWE-94

Status published

Products (2)

WPML/WPML < 4.6.12

wpml/wpml < 4.6.13

Published Aug 21, 2024

Tracked Since Feb 18, 2026