WordPress: 1 million websites use vulnerable plugin WPML
The WordPress plugin WPML has more than one million active installations. A critical vulnerability has now been patched.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
IT security researchers have discovered a critical vulnerability in the WordPress plug-in WPML. Authenticated attackers can use it to infiltrate malicious code from the web. An update closes the leak in the plug-in, which has been installed on more than one million websites.
The IT analysts at Wordfence discuss details of the vulnerability in a security release. Authenticated attackers can inject templates into the PHP template engine Twig on the server side (Twig Server-Side Template Injection). Malicious actors with access to the post editor can abuse the vulnerability.
Update for WPML available
After initial contact difficulties, communication between the manufacturer and Wordfence picked up at the beginning of August, the authors of the blog post explain. Since Tuesday last week, an updated version of the WPML plug-in has been available that closes the security gap.
WPML up to and including version 4.6.12 is affected. Plug-in version 4.6.13 or newer corrects the security-relevant error. In the blog post, the authors not only discuss details of the vulnerability, but also provide a proof of concept. This makes it easier for attackers to develop an exploit. Admins who use the WPML plug-in should therefore install the available update as soon as possible.
WordPress plugins often create security vulnerabilities in WordPress instances. Just last week, a critical gap in the LiteSpeed cache plug-in became known. Attackers can use it to compromise the entire instance. The plug-in has more than five million active installations. Here too, applying an update helps to protect against successful attacks.
(dmk)