1. What is this vulnerability and why does it matter?

This vulnerability, identified as CVE-2024-6386, is a Remote Code Execution (RCE) flaw found in the WPML plugin for WordPress. It is caused by Server-Side Template Injection (SSTI) through the Twig templating engine. This vulnerability matters significantly because a successful exploitation allows authenticated attackers to execute arbitrary code on the affected server. This can lead to a complete compromise of the WordPress installation and potentially the underlying server, enabling data theft, website defacement, installation of backdoors, or further network penetration.

2. What are the CVSS score, severity level, and disclosure details?

The CVSS score for CVE-2024-6386 is 8.8, which corresponds to a High severity level. The vulnerability was publicly published on August 21, 2024, at 20:29:23 UTC, and was last modified on April 8, 2026, at 17:33:51 UTC.

3. Which products, vendors, systems, and versions are affected?

4. What is the technical root cause and attack vector?

The technical root cause of CVE-2024-6386 is insufficient input validation and sanitization within the `render` function of the WPML plugin. This flaw allows for a Server-Side Template Injection (SSTI) through the Twig templating engine. The attack vector involves an authenticated attacker with Contributor-level access or higher exploiting this lack of validation to inject malicious Twig template code.

5. How can this vulnerability be exploited?

This vulnerability can be exploited by an authenticated attacker who has at least Contributor-level permissions on a WordPress site running the vulnerable WPML plugin. The attacker can leverage the missing input validation and sanitization in the `render` function to inject malicious Twig Server-Side Template Injection (SSTI) payloads. Upon execution, these payloads allow the attacker to run arbitrary code on the server, leading to Remote Code Execution.

6. What mitigation steps and patches are available?

The primary mitigation step is to update the WPML plugin to a patched version that addresses this vulnerability. Users should upgrade their WPML plugin to a version *beyond* 4.6.12 as soon as a fix is available from the vendor. Always ensure that all WordPress plugins, themes, and the core WordPress installation are kept up-to-date.

7. How can vulnerable systems be detected?

Vulnerable systems can be detected by checking the installed version of the WPML plugin on WordPress sites. Any installation running WPML version 4.6.12 or earlier is considered vulnerable to CVE-2024-6386. Automated vulnerability scanners capable of identifying plugin versions can also be used.

8. What are the indicators of compromise (IOCs)?

Specific indicators of compromise for CVE-2024-6386 are not explicitly detailed in the provided information. However, for a Remote Code Execution vulnerability, general IOCs to look for include:

• Presence of unexpected files or web shells in the WordPress installation directory.
• Unusual outbound network connections from the web server.
• Suspicious processes running on the server.
• Modifications to critical system files or WordPress configuration files.
• Abnormal entries in web server access or error logs, potentially indicating attempts at template injection or code execution.

9. Which threat actors are known to exploit this vulnerability?

While the provided data indicates that active exploits have been published to exploit this vulnerability, specific threat actors or groups known to be exploiting CVE-2024-6386 are not named.

10. What public intelligence references and advisories exist?

Public intelligence references and advisories include:

• CVE ID: CVE-2024-6386
• CWE IDs: CWE-94 (Improper Control of Generation of Code ('Code Injection')), CWE-1336 (Improper Neutralization of Special Elements used in a Template Engine)
• CVSS Score: 8.8 (High)
• Publication Date: 2024-08-21
• Security advisories from WPML or security researchers, typically published in conjunction with the CVE, would also serve as public intelligence.

11. What is the risk assessment and urgency level?

The risk level for CVE-2024-6386 is assessed as High, with a Critical urgency level for remediation. This assessment is based on a CVSS score of 8.8 and the vulnerability type being Remote Code Execution. The ability for authenticated attackers (even with Contributor-level access) to execute arbitrary code on the server poses a severe threat, potentially leading to full system compromise, data breaches, and service disruption. The fact that active exploits have been published further elevates the urgency, as it increases the likelihood of widespread attacks. Immediate patching is strongly recommended.