Critical Vulnerability in WordPress Translation Plugin Impacts Over 1 Million Websites

WordPress has always had security issues before, but the recent discovery of a severe vulnerability in wordpress translation plugin has made things worse. This exposure impacts more than one million websites and gives rise to significant concerns about the protection of sites that use multiple languages. It also emphasizes the hazards for site owners who lean on third-party plugins to improve their site’s functionality.

A critical susceptibility was discovered in the WPML WordPress plugin which impacts more than 1 million websites. This vulnerability permits a certified attacker to execute remote code, potentially resulting in a total site takeover. The Common Vulnerabilities and Exposures (CVE) organization has ranked it as 9.9 out of 10.

WPML Plugin Vulnerability | WordPress Translation Plugin

The main reason for vulnerability in wordpress translation plugin is due to not using any security benchmark known as sanitization. It is essential to filter out dangerous data and prevent harmful files from being uploaded. The absence of sanitization in this input makes the plugin exposed to Remote Code Execution which can permit attackers to run malicious code on your site.

The problem is discovered in a feature of the WPML plugin that manages custom language switchers via shortcodes. This attribute takes the shortcode content and shows it in a plugin template, but it doesn’t appropriately filter or clean the data. Consequently, it is liable to code injection invasions. This issue impacts every version of the WPML plugin up to and including 4.6.12. 

Timeline of Vulnerability

Wordfence found out about this vulnerability in late June and immediately cautioned the WPML team. However, WPML did not respond for more than one and a half months and replied on August 1, 2024.

People who were using the paid version of Wordfence got eight days of protection after the finding of the vulnerability. Whereas, the free users of Wordfence received their security on July 27th.

WPML plugin users without any free or paid version of Wordfence did not get any security from WPML. They had to wait until August 20th when WPML finally allocated a patch in version 4.6.13 to handle the case.

Update to the Latest Version

Wordfence advises all WPML plugin users to update to the latest version of the plugin, which is 4.6.13, to ensure the protection of your site.

How Revolute X Digital Protects Your Website from WPML Plugin Vulnerabilities:

At Revolute X Digital, we prioritize the security of your WordPress sites. In light of the recent WPML plugin vulnerability, which exposed over one million websites to potential attacks, our team has swiftly taken action to safeguard our clients. We’ve updated all affected sites to the latest WPML version (4.6.13), ensuring protection against this critical threat. Our proactive approach and commitment to using best practices, like proper data sanitization, ensure that your website remains secure and fully functional. Trust us to keep your digital assets safe!