WPML < 4.3.7 - Authenticated Cross Site Request Forgery leading to Remote Code Execution



Description
The sitepress-multilingual-cms (WPML) WordPress plugin before version 4.3.7 has CSRF due loose comparison, that leads to remote code execution.

Affects Plugin

fixed in version 4.3.7
- plugin closed

References

CVE 2020-10568
URL https://medium.com/@arall/sitepress-multilingual-cms-wplugin-wpml-4-3-7-b-2-9c9486c13577

Classification

Type CSRF
CWE CWE-352

Miscellaneous

Original Researcher Gerard Arall
Submitter Gerard Arall
Submitter Twitter gerardarall
Views 3979
Verified No
WPVDB ID 10131

Timeline

Publicly Published 2020-03-09 (3 months ago)
Added 2020-03-13 (2 months ago)
Last Updated 2020-03-15 (2 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin