CVE-2024-6386: 
WordPress vulnerability analysis and mitigation

The WPML (WordPress Multilingual) plugin contains a critical Remote Code Execution vulnerability (CVE-2024-6386) affecting all versions up to and including 4.6.12. The vulnerability was discovered in August 2024 and stems from missing input validation and sanitization in the render function, specifically related to Twig Server-Side Template Injection. This security flaw affects over 1 million WordPress installations (Hacker News).

The vulnerability is caused by improper handling of shortcodes within the WPML plugin, specifically in the plugin's handling of the [wpmllanguageswitcher] shortcode. The issue lies in the callback() function in the WPMLLSShortcodes class, which calls the render() function in the WPMLLSPublic_API class without proper input sanitization. This allows for Twig template injection. The vulnerability has received a CVSS v3.1 score of 9.9 (Critical) (Wordfence).

The vulnerability allows authenticated attackers with Contributor-level access or higher to execute arbitrary code on the server. This could lead to complete site takeover, data theft, website defacement, and the installation of backdoors for future attacks (Security Online).

The vulnerability has been patched in WPML version 4.6.13, released on August 20, 2024. Website administrators are strongly advised to update their WPML plugin to this latest version immediately. The plugin maintainers, OnTheGoSystems, have emphasized that the risk is lower for sites where only trusted users have editing privileges (Hacker News).

The discovery was rewarded with a $1,639 bounty through the Wordfence Bug Bounty Program. OnTheGoSystems has stated that while the vulnerability is serious, it is 'unlikely to occur in real-world scenarios' as it requires specific user permissions and site configurations (Hacker News).