What is CVE-2024-6386?

A server-side template injection (SSTI) in WPML's Twig template processing. Authenticated users with at least the Contributor role could inject Twig template syntax that escaped the sandbox and reached PHP function execution. Affected: WPML Multilingual CMS versions prior to 4.6.13. Disclosed September 2024.

Contributor-level only — was that really exploitable?

Yes. Contributor is the lowest 'authenticated' role and is often granted for guest posting, partner content, or freelancer access. On any site with open registration plus contributor by default, the bug was effectively unauthenticated. WPML's premium multilingual install base also overlaps heavily with publishing sites that accept submissions.

How do I know my site was hit?

Check for posts or content containing Twig curly-brace syntax in fields that pass through WPML's translation handling. Check the standard WordPress RCE indicators: fresh admin users, fresh PHP in uploads, modified plugin files, new active plugins.

WPML is a premium plugin. Do you handle premium-plugin compromises?

Yes. The cleanup approach is identical to any WordPress compromise — manual file and database review, vector identification, hardening. Premium-vs-free doesn't change the cleanup.

CVE-2024-6386 · SSTI → RCE · WPML

WPML compromise cleanup.

Authenticated SSTI in WPML's Twig template engine produced RCE. Disclosed September 2024. If your multilingual WordPress runs WPML and accepts contributor-level submissions, treat the site as compromised until verified. Flat $279.

Start a cleanup About the bug

What the bug was

Twig template injection from a Contributor role.

WPML uses Twig to render parts of its translation pipeline. A code path passed content under the user's control into the Twig engine without escaping the dangerous primitives. With access to the right field as a Contributor, an attacker could inject Twig syntax and ultimately invoke PHP functions including ones that wrote files.

Patched in 4.6.13. The patch reduced the Twig sandbox to a safer subset; sites that updated promptly closed the door. The premium-only licensing means update rollout depended on each owner's license status.

Indicators

What I look at.

Content
Posts or fields containing Twig curly-brace expressions and calls to runtime classes.
Users
Contributor accounts created in September 2024 onward — especially via open registration. Cross-check against the post submissions that followed each one.
Files
Fresh PHP in wp-content/uploads/, modified plugin/theme files, new mu-plugins. Standard RCE persistence indicators.
Options
wp_options autoload entries added since the disclosure with unfamiliar names or base64-encoded payloads.

Pricing

Cleanup

$279

flat, one-time, per site

Manual cleanup, entry-vector identification, written forensic report.

Start a cleanup

Monitoring

$29 / mo

per site, cancel any time

Continuous monitoring, hardening, one cleanup per year included.

Get protected

Part of threatover's broader security practice. Penetration testing, bug bounty consulting, triage, and security advisory.

See all services →

Email [email protected] or use the contact form.