A critical security flaw has been disclosed in the WPML WordPress multilingual plugin that could allow authenticated users to execute arbitrary code remotely under certain circumstances.
The vulnerability, tracked as CVE-2024-6386 (CVSS score: 9.9), impacts all versions of the plugin before 4.6.13, which was released on August 20, 2024.
Arising due to missing input validation and sanitization, the issue makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
WPML is a popular plugin used for building multilingual WordPress sites. It has over one million active installations.
“authenticated attackers, with Contributor-level access and above” bad, but 9.9 seems a tad OTT unless there are other possible methods.