CVE-2024-6386 – WPML Multilingual CMS <= 4.6.12 - Authenticated(Contributor+) Remote Code Execution via Twig Server-Side Template Injection
https://notcve.org/view.php?id=CVE-2024-6386
The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via the Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. • https://github.com/realbotnet/CVE-2024-6386 https://github.com/argendo/CVE-2024-6386 https://sec.stealthcopter.com/wpml-rce-via-twig-ssti https://wpml.org https://www.wordfence.com/threat-intel/vulnerabilities/id/f7fc91cc-e529-4362-8269-bf7ee0766e1e?source=cve • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVE-2023-29431 – qTranslate X Cleanup and WPML Import <= 3.0.1 - Missing Authorization via clean_ajx
https://notcve.org/view.php?id=CVE-2023-29431
The qTranslate X Cleanup and WPML Import plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clean_ajx function in versions up to, and including, 3.0.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger the 'clean' functionality. • CWE-862: Missing Authorization •
CVE-2022-38461 – WordPress WPML Multilingual CMS premium plugin <= 4.5.10 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2022-38461
Broken Access Control vulnerability in WPML Multilingual CMS premium plugin <= 4.5.10 on WordPress allows users with a subscriber or higher user role to change plugin settings (selected language for legacy widgets, the default behavior for media content). Vulnerabilidad de control de acceso roto en el complemento WPML Multilingual CMS premium en versiones <= 4.5.10 en WordPress permite a los usuarios con un suscriptor o un rol de usuario superior cambiar la configuración del complemento (idioma seleccionado para widgets heredados, comportamiento predeterminado para contenido multimedia). The WPML plugin for WordPress is vulnerable to missing authorization checks in versions up to, and including, 4.5.10. This is due to improper access controls on authorization for user controls. This makes it possible for subscriber-level attackers to perform plugin settings changes. • https://patchstack.com/database/vulnerability/sitepress-multilingual-cms/wordpress-wpml-multilingual-cms-plugin-4-5-10-broken-access-control-vulnerability?_s_id=cve • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVE-2022-45071 – WordPress WPML Multilingual CMS premium plugin <= 4.5.13 - Cross-Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2022-45071
Cross-Site Request Forgery (CSRF) vulnerability in WPML Multilingual CMS premium plugin <= 4.5.13 on WordPress. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento WPML Multilingual CMS premium en WordPress en versiones <= 4.5.13. The WPML plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.13. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to change the plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/sitepress-multilingual-cms/wordpress-wpml-multilingual-cms-premium-plugin-4-5-13-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2022-38974 – WordPress WPML Multilingual CMS premium plugin <= 4.5.10 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2022-38974
Broken Access Control vulnerability in WPML Multilingual CMS premium plugin <= 4.5.10 on WordPress allows users with subscriber or higher user roles to change the status of the translation jobs. Vulnerabilidad de control de acceso roto en el complemento WPML Multilingual CMS premium en WordPress en versiones <= 4.5.10 permite a los usuarios con roles de suscriptor o de usuario superiores cambiar el estado de los trabajos de traducción. The WPML plugin for WordPress is vulnerable to missing authorization in versions up to, and including, 4.5.10. This is due to improper access controls on authentication for user controls. This makes it possible for subscriber-level attackers to perform status changes of translation jobs. • https://patchstack.com/database/vulnerability/sitepress-multilingual-cms/wordpress-wpml-multilingual-cms-plugin-4-5-10-broken-access-control-vulnerability-2?_s_id=cve • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •