WordPress Plugin Vulnerabilities

WPML Multilingual CMS < 4.6.13 - Contributor+ RCE via Twig Server-Side Template Injection

Description

The plugin is vulnerable to Remote Code Execution via the Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

Affects Plugins

Plugin icon
sitepress-multilingual-cms
Fixed in 4.6.13

References

CVE
CVE-2024-6386
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f7fc91cc-e529-4362-8269-bf7ee0766e1e

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
9.1 (critical)

Miscellaneous

Original Researcher
stealthcopter
Verified
No
WPVDB ID
41673afd-4ddd-4db8-a676-a85c3c93f9b0

Timeline

Publicly Published
2024-08-21 (about 1 year ago)
Added
2024-08-21 (about 1 year ago)
Last Updated
2026-06-09 (about 5 days ago)

Other

Published
Title
Published
2025-04-25
Title
Create custom forms for WordPress with a smart form plugin for smart businesses <= 1.2.4 - Unauthenticated Arbitrary Shortcode Execution
Published
2025-07-16
Title
Alone <= 7.8.3 - Unauthenticated Remote Code Execution
Published
2014-08-01
Title
XML Sitemap Generator 3.2.8 - XML File Overwrite Arbitrary Code Execution
Published
2025-05-07
Title
GS Testimonial Slider < 3.3.0 - Unauthenticated Arbitrary Shortcode Execution
Published
2026-03-23
Title
JetFormBuilder — Dynamic Blocks Form Builder < 3.5.6.2 - Authenticated (Contributor+) Remote Code Execution