WordPress Plugin Vulnerabilities

WPML < 4.3.7 - Authenticated Cross Site Request Forgery leading to Remote Code Execution

Description

The sitepress-multilingual-cms (WPML) WordPress plugin before version 4.3.7 has CSRF due loose comparison, that leads to remote code execution.

Affects Plugins

Plugin icon
sitepress-multilingual-cms
Fixed in 4.3.7

References

CVE
CVE-2020-10568
URL
https://medium.com/@arall/sitepress-multilingual-cms-wplugin-wpml-4-3-7-b-2-9c9486c13577

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Gerard Arall
Submitter
Gerard Arall
Submitter twitter
gerardarall
Verified
No
WPVDB ID
39638389-722d-4ecf-b87c-5bca2709241b

Timeline

Publicly Published
2020-03-09 (about 6 years ago)
Added
2020-03-13 (about 5 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2023-12-27
Title
TerraClassifieds <= 2.0.3 - Cross-Site Request Forgery
Published
2025-03-27
Title
SimplyRETS Real Estate IDX < 3.1.0 - Cross-Site Request Forgery
Published
2024-12-11
Title
Amazon Product Price <= 1.1 - Cross-Site Request Forgery to Cross-Site Scripting
Published
2023-09-20
Title
Inactive Logout < 3.2.3 - Cross-Site Request Forgery
Published
2024-12-18
Title
Wayne Audio Player <= 1.0 - Cross-Site Request Forgery to Privilege Escalation