CVE-2024-6386
Published: 21 August 2024
Summary
CVE-2024-6386 is a critical-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Wpml Wpml. Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The WPML plugin for WordPress is vulnerable to remote code execution in all versions through 4.6.12. The flaw stems from missing input validation and sanitization in the render function, enabling Twig server-side template injection. The issue is tracked as CVE-2024-6386 with a CVSS 3.1 score of 9.9 and is associated with CWE-1336 and CWE-94.
Authenticated attackers holding Contributor-level access or higher can exploit the vulnerability over the network to execute arbitrary code on the server. The attack requires no user interaction and can impact confidentiality, integrity, and availability with a scope change.
The current EPSS score stands at 0.7391 after reaching a peak of 0.7535. Reference materials are available from the vendor at wpml.org and from Wordfence and other researchers detailing the issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-47493
Vulnerability details
The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it…
more
possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.