Full Report
WordPress Multilingual Plugin (WPML) has 1 million active installations. It's a premium plugin that provides automatic language translation features. Templates have became more popular in recent years. They are pre-built web pages with place holders in the code that take input for customization on the web page. The escaped templating code can also have logic like loops, if statements and much more in it though. Wordpress has a feature called Shortcode Blocks that function similarly to templates. An example is adding an image to the page - it will handle all of the custom HTML formatting for you. In Wordpress, custom Shortcodes can be registered and then used in the program. The WPML plulgin added three custom shortcodes: language switcher, selector widget and selector footer. The language switcher short code used a Twig template. with its content before it was evaluated. Unfortunately, it appears that the input from the user was either being double evaluated resulting in template injection. Although the article shows the code, it does not discuss the reason for this vulnerability occurring or the fix for it, which is a bummer. With template injection, {{7 * 7}} will be evaluated as 49 when returned, which is how the author found it. In Wordpress, all single and double quotes are escaped, which made exploitation difficult. They found that some functions could be called without parameters that returned strings. Then, they could use a string slicing method in order to get the character that they wanted from the function call. Using this, they were able to generate arbitrary strings for inputs to execute bash commands. A good and impactful bug!
Analysis Summary
# Vulnerability: Remote Code Execution in WPML via Twig Server-Side Template Injection
## CVE Details
- CVE ID: CVE-2024-6386
- CVSS Score: 9.9 (Critical)
- CWE: [CWE-94: Improper Control of Generation of Code ('Code Injection')] (Inferred from RCE via Template Injection)
## Affected Systems
- Products: WordPress Multilingual Plugin (WPML)
- Versions: All versions up to and including **4.6.12**
- Configurations: Any WordPress site using the WPML plugin utilizing one of its custom shortcodes, specifically aiming for injection via the content processed by the language switcher shortcode (`wpml_language_switcher`).
## Vulnerability Description
The WPML plugin registered three custom shortcodes (`wpml_language_switcher`, `wpml_language_selector_widget`, `wpml_language_footer`). The implementation for the `wpml_language_switcher` shortcode utilized the Twig template engine. This vulnerability arises because user-supplied input (likely the content passed into the shortcode) was evaluated by the Twig template engine, resulting in Server-Side Template Injection (SSTI). Although standard WordPress escaping mechanisms made direct injection difficult (as single and double quotes were being escaped), the researcher found a workaround involving function calls without parameters combined with string slicing (`|slice`) to construct arbitrary strings. This allowed for the circumvention of escaping and the eventual construction of payloads to execute arbitrary Bash commands on the server.
## Exploitation
- Status: **PoC available** (Detailed proof-of-concept exploiting string manipulation techniques is documented).
- Complexity: **High** (Due to the necessity of advanced Twig sandbox escape techniques involving string slicing and function calls without arguments to construct all necessary characters for command execution).
- Attack Vector: **Network** (Remote exploitation possible by injecting the payload via a vulnerable shortcode).
## Impact
- Confidentiality: **High** (Arbitrary command execution allows for reading sensitive files like `/etc/passwd`).
- Integrity: **High** (Arbitrary command execution allows for modification or deletion of system/application files).
- Availability: **High** (Arbitrary command execution can lead to server compromise, denial of service, or installation of malware).
## Remediation
### Patches
- The vulnerability was patched in **WPML version 4.6.13** and later. (The article notes a 62-day delay between reporting and patching.)
### Workarounds
- No specific workarounds were detailed, but immediate patching is the definitive solution. Temporarily disabling the `wpml_language_switcher` shortcode functionality or strictly filtering user input to shortcodes could serve as a temporary measure until patching occurs.
## Detection
- **Indicators of Compromise:** Look for unusual execution of system commands originating from web processes, particularly file reading attempts (e.g., `cat /etc/passwd`) or execution of unexpected binaries injected via shortcode content.
- **Detection Methods and Tools:** Web Application Firewalls (WAFs) configured to detect common Twig template syntax patterns in shortcode content might flag initial probing attempts (e.g., `{{...}}`). Server logs should be monitored for suspicious commands executed by the web server user, especially those related to string manipulation or environment inspection.
## References
- [Vendor Advisory/Source Article Summary Link](https://blog.wpsec.com/the-full-story-of-cve-2024-6386-remote-code-execution-in-wpml/)