10 results (0.007 seconds)

CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 2

The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via the Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. • https://github.com/realbotnet/CVE-2024-6386 https://github.com/argendo/CVE-2024-6386 https://sec.stealthcopter.com/wpml-rce-via-twig-ssti https://wpml.org https://www.wordfence.com/threat-intel/vulnerabilities/id/f7fc91cc-e529-4362-8269-bf7ee0766e1e?source=cve • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

Broken Access Control vulnerability in WPML Multilingual CMS premium plugin <= 4.5.10 on WordPress allows users with a subscriber or higher user role to change plugin settings (selected language for legacy widgets, the default behavior for media content). Vulnerabilidad de control de acceso roto en el complemento WPML Multilingual CMS premium en versiones &lt;= 4.5.10 en WordPress permite a los usuarios con un suscriptor o un rol de usuario superior cambiar la configuración del complemento (idioma seleccionado para widgets heredados, comportamiento predeterminado para contenido multimedia). The WPML plugin for WordPress is vulnerable to missing authorization checks in versions up to, and including, 4.5.10. This is due to improper access controls on authorization for user controls. This makes it possible for subscriber-level attackers to perform plugin settings changes. • https://patchstack.com/database/vulnerability/sitepress-multilingual-cms/wordpress-wpml-multilingual-cms-plugin-4-5-10-broken-access-control-vulnerability?_s_id=cve • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

Cross-Site Request Forgery (CSRF) vulnerability in WPML Multilingual CMS premium plugin <= 4.5.13 on WordPress. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento WPML Multilingual CMS premium en WordPress en versiones &lt;= 4.5.13. The WPML plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.13. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to change the plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/sitepress-multilingual-cms/wordpress-wpml-multilingual-cms-premium-plugin-4-5-13-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

Broken Access Control vulnerability in WPML Multilingual CMS premium plugin <= 4.5.10 on WordPress allows users with subscriber or higher user roles to change the status of the translation jobs. Vulnerabilidad de control de acceso roto en el complemento WPML Multilingual CMS premium en WordPress en versiones &lt;= 4.5.10 permite a los usuarios con roles de suscriptor o de usuario superiores cambiar el estado de los trabajos de traducción. The WPML plugin for WordPress is vulnerable to missing authorization in versions up to, and including, 4.5.10. This is due to improper access controls on authentication for user controls. This makes it possible for subscriber-level attackers to perform status changes of translation jobs. • https://patchstack.com/database/vulnerability/sitepress-multilingual-cms/wordpress-wpml-multilingual-cms-plugin-4-5-10-broken-access-control-vulnerability-2?_s_id=cve • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

Cross-Site Request Forgery (CSRF) vulnerability in WPML Multilingual CMS premium plugin <= 4.5.13 on WordPress. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento WPML Multilingual CMS premium en WordPress en versión &lt;= 4.5.13. The WPML plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.13. This is due to missing or incorrect nonce validation on an unspecified function. This makes it possible for unauthenticated attackers to enact the status change of translation jobs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/sitepress-multilingual-cms/wordpress-wpml-multilingual-cms-premium-plugin-4-5-13-cross-site-request-forgery-csrf-vulnerability-2?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •