// CVE-2024-6386 · SSTI → RCE · WPML
WPML compromise?
Cleaned.
Authenticated SSTI in WPML's Twig template engine produced RCE. Disclosed September 2024. If your multilingual WordPress runs WPML and accepts contributor-level submissions, treat the site as compromised until verified. Flat $279.
§ 01 — WHAT THE BUG WAS
Twig template injection from a Contributor role.
WPML uses Twig to render parts of its translation pipeline. A code path passed content under the user's control into the Twig engine without escaping the dangerous primitives. With access to the right field as a Contributor, an attacker could inject Twig syntax and ultimately invoke PHP functions including ones that wrote files.
Patched in 4.6.13. The patch reduced the Twig sandbox to a safer subset; sites that updated promptly closed the door. The premium-only licensing means update rollout depended on each owner's license status.
§ 02 — INDICATORS
What we look at.
[ CONTENT ]
Posts or fields containing Twig curly-brace expressions and calls to runtime classes.
[ USERS ]
Contributor accounts created in September 2024 onward — especially via open registration. Cross-check against the post submissions that followed each one.
[ FILES ]
Fresh PHP in wp-content/uploads/, modified plugin/theme files, new mu-plugins. Standard RCE persistence indicators.
[ OPTIONS ]
wp_options autoload entries added since the disclosure with unfamiliar names or base64-encoded payloads.
§ PRICE
Flat $279. One-time. Per site.
[ RESCUE ]
$279
FORFAIT · UNIQUE · PAR SITE
Nettoyage manuel, identification du vecteur, rapport forensique écrit. Garantie de réinfection 30 jours.
Démarrer un nettoyage →[ SHIELD ]
$29 / mo
PAR SITE · RÉSILIATION À TOUT MOMENT
Surveillance continue, durcissement, un nettoyage par an inclus.
Se protéger →Site compromis ? Démarrer une mission.
Send us what you know. You get a triage and a fixed quote in return — no obligation.