VYPR
Critical severity9.9NVD Advisory· Published Aug 21, 2024· Updated Apr 8, 2026

CVE-2024-6386

CVE-2024-6386

Description

The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • Wpml/Wpml2 versions
    cpe:2.3:a:wpml:wpml:*:*:*:*:*:wordpress:*:*+ 1 more
    • cpe:2.3:a:wpml:wpml:*:*:*:*:*:wordpress:*:*range: <4.6.13
    • (no CPE)range: <=4.6.12
  • WordPress/Wpmlwp-canonicalize

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.