// CVE-2024-6386 · SSTI → RCE · WPML
WPML compromise?
Cleaned.
Authenticated SSTI in WPML's Twig template engine produced RCE. Disclosed September 2024. If your multilingual WordPress runs WPML and accepts contributor-level submissions, treat the site as compromised until verified. Flat $279.
§ 01 — WHAT THE BUG WAS
Twig template injection from a Contributor role.
WPML uses Twig to render parts of its translation pipeline. A code path passed content under the user's control into the Twig engine without escaping the dangerous primitives. With access to the right field as a Contributor, an attacker could inject Twig syntax and ultimately invoke PHP functions including ones that wrote files.
Patched in 4.6.13. The patch reduced the Twig sandbox to a safer subset; sites that updated promptly closed the door. The premium-only licensing means update rollout depended on each owner's license status.
§ 02 — INDICATORS
What we look at.
[ CONTENT ]
Posts or fields containing Twig curly-brace expressions and calls to runtime classes.
[ USERS ]
Contributor accounts created in September 2024 onward — especially via open registration. Cross-check against the post submissions that followed each one.
[ FILES ]
Fresh PHP in wp-content/uploads/, modified plugin/theme files, new mu-plugins. Standard RCE persistence indicators.
[ OPTIONS ]
wp_options autoload entries added since the disclosure with unfamiliar names or base64-encoded payloads.
§ PRICE
Flat $279. One-time. Per site.
[ RESCUE ]
$279
PAUSCHAL · EINMALIG · PRO SEITE
Manuelle Bereinigung, Eintrittsvektor identifiziert, schriftlicher forensischer Bericht. 30-Tage-Reinfektions-Garantie.
Bereinigung starten →[ SHIELD ]
$29 / mo
PRO SEITE · JEDERZEIT KÜNDBAR
Laufendes Monitoring, Absicherung, eine Bereinigung pro Jahr inklusive.
Schützen lassen →Seite kompromittiert? Auftrag starten.
Send us what you know. You get a triage and a fixed quote in return — no obligation.