A critical remote code execution (RCE) vulnerability, rated 9.9 on the CVSS scale, recently threatened over a million WordPress websites. This flaw allowed attackers to gain full control of affected sites’ backends before it was patched.
WPML: A High-Risk Target
The vulnerability was discovered in WPML (WordPress Multilingual Plugin), a popular premium plugin used to create multilingual websites. All versions up to 4.6.12 were affected, leaving millions of sites at risk.
The issue was identified by security researcher stealthcopter, a seasoned expert in application security. However, the critical flaw remained unpatched for 62 days after discovery. The researcher received a bounty of just $1,639, sparking debates about fair compensation for uncovering severe vulnerabilities.
The Vulnerability: Server-Side Template Injection (SSTI)
The flaw stemmed from a Server-Side Template Injection (SSTI) vulnerability in WPML’s shortcode blocks. SSTI occurs when unsanitized user input is processed by template engines like Twig, enabling attackers to execute malicious payloads.
To test for SSTI, attackers could use simple payloads, such as evaluating mathematical expressions. If server-side execution occurred—e.g., returning “28” from {{ 7 * 4 }}—it indicated a potential security gap.
From SSTI to RCE
Once SSTI was confirmed, stealthcopter escalated the attack to achieve RCE. By leveraging Twig’s dump() function, which exposes detailed information about variables, the attacker was able to craft payloads that reconstructed sensitive commands like system. This allowed execution of terminal commands, including “id” and “pwd,” and access to sensitive files like the system password file.
Example Payload:
[wpml_language_switcher]
{% set s = dump(current_language_code)|slice(0,1) %}
{% set y = dump(css_classes)|slice(4,1) %}
{% set system = s~y~s~t~e~m %}
{{ [id]|map(system)|join }}
[/wpml_language_switcher]
This payload showcased how attackers could take complete control of a website’s backend with minimal effort.
The Fallout
The delay in patching this vulnerability left websites exposed to potential exploitation for over two months. During this time, attackers could have used the flaw to install malware, steal sensitive data, or disrupt services, causing severe reputational and financial damage to site owners.
The relatively low bounty paid to the researcher highlighted broader concerns in the cybersecurity community about incentivizing responsible disclosure, especially for vulnerabilities with such wide-reaching impact.
Lessons Learned
The WPML vulnerability underscores the importance of stringent security practices in plugin development:
1. Input Validation: User inputs must always be sanitized and validated to prevent exploitation.
2. Regular Security Audits: Plugin developers should prioritize proactive security assessments to identify and mitigate risks.
3. Timely Patching: Critical vulnerabilities demand swift action to protect users and minimize exposure.
While plugins like WPML provide essential functionality, this incident serves as a stark reminder of the risks posed by insecure design. Thanks to the efforts of researchers like stealthcopter, such flaws are identified and responsibly disclosed, safeguarding millions of websites from potential harm.
