Skip to main content

WPML CVE-2024-6386

CRITICAL
Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336)
2024-08-21 security@wordfence.com
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
PoC Detected
Apr 08, 2026 - 19:22 vuln.today
Public exploit code
CVE Published
Aug 21, 2024 - 21:15 nvd
CRITICAL 9.9

DescriptionCVE.org

The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

AnalysisAI

Remote code execution in the WPML WordPress multilingual plugin (versions up to and including 4.6.12) allows Contributor-level authenticated users to execute arbitrary code on the underlying server via Twig Server-Side Template Injection in the shortcode render function. Publicly available exploit code exists and EPSS rates the exploitation probability at 73.91% (99th percentile), making this a high-priority issue for any WordPress site running WPML.

Technical ContextAI

WPML is one of the most widely deployed multilingual plugins for WordPress, identified by CPE cpe:2.3:a:wpml:wpml:*:*:*:*:*:wordpress:*:*. The flaw is classified as CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine), specifically a Server-Side Template Injection (SSTI) flaw in WPML's use of the Twig templating engine. When user-controlled input reaches Twig's render function without sanitization, attackers can inject template syntax that Twig evaluates server-side, abusing Twig's object filters and PHP interoperability to reach arbitrary PHP execution from what is normally rendered as benign shortcode output.

RemediationAI

Upgrade WPML to version 4.6.13 or later, which the vendor released to address the Twig SSTI; cite the Wordfence Threat Intelligence advisory and the WPML release notes on wpml.org for the authoritative fix reference. Until upgrade is possible, restrict who can author content by removing or downgrading untrusted Contributor and Author accounts, temporarily disable open user registration, and audit existing low-privilege users for unexpected activity; on multisite deployments, consider deactivating WPML on lower-trust sites. As compensating controls, deploy a WAF rule that blocks Twig-style payloads (such as {{, }}, and known Twig sandbox-escape gadgets) in WPML shortcode parameters, knowing this may produce false positives on legitimate multilingual content and is not a substitute for patching.

More in Ssti

View all
CVE-2025-47916 CRITICAL POC
10.0 May 16

Invision Community 5.0.0 through 5.0.6 contains an unauthenticated remote code execution vulnerability in the template e

CVE-2024-23692 CRITICAL POC
9.8 May 31

Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. Rated c

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2024-32651 CRITICAL POC
10.0 Apr 26

changedetection.io is an open source web page change detection, website watcher, restock monitor and notification servic

CVE-2024-4040 CRITICAL POC
10.0 Apr 22

A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms all

CVE-2024-24724 CRITICAL POC
9.8 Apr 03

Gibbon through 26.0.00 allows /modules/School%20Admin/messengerSettings.php Server Side Template Injection leading to Re

CVE-2026-28496 CRITICAL POC
9.4 Jun 23

Server-side template injection in FOSSBilling versions prior to 0.8.0 allows authenticated administrators to execute arb

CVE-2025-1040 HIGH POC
8.8 Mar 20

AutoGPT versions 0.3.4 and earlier are vulnerable to a Server-Side Template Injection (SSTI) that could lead to Remote C

CVE-2023-6709 HIGH POC
8.8 Dec 12

Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository mlflow/mlflow prior to 2.9.2.

CVE-2022-0896 HIGH POC
8.8 Mar 09

Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository microweber/microweber prior t

CVE-2024-54954 HIGH POC
8.0 Feb 10

OneBlog v2.3.6 was discovered to contain a template injection vulnerability via the template management department. Rate

CVE-2024-8238 HIGH POC
8.1 Mar 20

In version 3.22.0 of aimhubio/aim, the AimQL query language uses an outdated version of the safer_getattr() function fro

Share

CVE-2024-6386 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy