Yesterday we released WPML 3.1.9, which addresses several security concerns. We take the security of our clients very seriously, so as soon as we noticed these possible exploits, we set to work on a version which fixes them. That version added sanitation to a number of places in the code. One of them, sanitized URLs incorrectly, ending up in a bug that caused WPML not to decode non-English URLs correctly.

So, if you updated WPML to 3.1.9 and got a 404 error, please note that you’re not alone. We had it for several hours on our own sites too.

URL resolution bug with WPML 3.1.9

URL resolution bug with WPML 3.1.9

We had to balance between the urgency of fixing a security issue and the time it takes to test every feature in WPML. In this case, we didn’t catch the problem and release a version that fixes the security issues but causes the problem.

It’s fixed now in 3.1.9.1. We are very sorry for the trouble that this had caused. Please note that this was a ‘render’ issue only. Meaning, nothing got changed in your database and content is still there.

Back to normal with WPML 3.1.9.1

Back to normal with WPML 3.1.9.1

Please be sure to update to the recent version of WPML. Don’t let this glitch keep you from updating, so that you have the most recent and secure version of WPML.

After upgrading, we encourage you to register your site on wpml.org. You can register as many sites as you need, for yourself and for your clients. This registration tells us which versions run where. We are going to use it to contact clients who have out-of-date versions of WPML and advise to upgrade sites, which you might have forgotten about.

Questions? Ideas? Suggestions? Let us know by leaving your comments.

36 Responses to “WPML Security Update, Bug and Fix”

  1. Rob the angyr coder says:

    Well, one suggestion would be to learn how to write proper changelogs, create something similar to https://cve.mitre.org/ so we can mitigate any security issues and write tests for them where we use WPML.

    When you write shit like “As with any security update, we will skip the detailed description of the security improvements. We would like to emphasize the importance of updating WPML on your sites and all your client sites ASAP.” we can’t judge anything from that, and it will not protect the innocent at all. The people writing exploits already know the bugs, but we the people that are trying to defend our systems can’t know without starting diffing and screwing around with the code to figure out what the hell you did and why you did it.

    Are there remote execution sploits? Do you need admin for it? Which versions are affected? So many questions, no answers…

    Security by obscurity is *WORSE* than no security at all. In complicated setups where we need to plan downtime and maintenance windows this is a nightmare.

    We need the information so we can mitigate it and detected it, and write rules in our WAF’s and other security solutions and make it part of the security pentest suite that we use, so we *KNOW* that it does not happen again.

    • Amir says:

      We write detailed changelogs for everything except exploits. Obviously, our sites are all updated, but not all clients managed to update their sites yet. I don’t think that it’s fair to describe how to hack into people’s sites, no matter if they are our clients or not.

      • koenD says:

        I agree with Rob.

        And Amir, I think WPML is being naive.

        What do you think hackers will do when there is no changelog? Compare code and figure out how to exploit it. Hackers don’t need a changelog for that.

        This is how you should address security issues: https://yoast.com/wordpress-seo-security-release/

        Just tell site admins what they are dealing with.

        • Amir says:

          We see our responsibility extending beyond releasing a security update. We want to make sure that:

          1) Everyone updated and is secure
          2) People don’t have problems with their sites (security or otherwise)

          Fortunately, we have the mechanism to see which sites still require updates. We are sending email reminders to their webmasters. As soon as we see that all, or almost all, sites are up-to-date and secure, we can explain what the exploits were.

          I don’t think that people would be very happy to see this update from us, not manage to install it and see an explanation, on our own site, how to exploit their sites.

          Some people reacted very quickly to this update, but it’s taking longer for others. We know that not every person is immediately accessible or available, so we don’t want to disclose the technical details before everyone had a chance to update.

          I’d like to be responsible for our policy and I leave others to be responsible for their policies.

          Does this sound fair?

          • Jeff McNeill says:

            The emails are really not very helpful, just more nonsense. If there was an automated way to update WPML, such as clicking an UPDATE button, that would be helpful. Why do I need an installation tutorial?

            Looks like your security update broke lots of sites, because it wasn’t tested. Availability and access are aspects of security as well. Really disappointed in how WPML handles updates, security, changelogs, and not taking responsibility. You need a security officer.

            • Amir says:

              WPML has an automated update process. Once you do the one-time registration, your site will receive automatic updates to all of WPML components. You can get these updates either via the Plugins admin screen or via the Dashboard->Updates menu. This is the same workflow for getting updates as for all plugins coming from the WordPress plugins repository. Our installation FAQ explains how to do the initial installation and registration. After that, you receive updates automatically.

              Are you having any sort of issues on your sites with the recent version of WPML? If so, please let me know about it, so that we can help you. Currently, there are many thousands of sites running the recent version and we haven’t received reports of problems with it.

              • jeffmcneill says:

                There are so many issues with this response:

                1. You HAVE received reports of problems with sites with non-latin character urls. That is listed on this page already.

                2. Having automated update that cannot be controlled by website admins is a huge error. I’ve looked into this on your discussion forums and I am appalled by this and have unregistered all my sites.

                3. Your update system is completely outside of the WordPress plugin update system, which is completely unnecessary, and a huge security issue, not to mention getting updates that break sites.

                4. The email I received says that 3.1.9.3 is the latest, but my sites only update to 3.1.9 and there is now way I can force that process? Looking here: http://wpml.org/faq/install-wpml/ it appears I have to register a site key, manually download the system, then de-register the site key each time I want to update. That’s just crazy.

                I feel that I’ve made a huge mistake by purchasing and installing WPML.

                • Amir says:

                  There might be some misunderstanding here.

                  WPML uses the WordPress updates system, as it is. We think that it’s a pretty good system.

                  That system allows us to hook and change the source of plugins. We use it to send updates from wpml.org, rather than from wordpress.org. The rest of the workflow comes from WordPress core.

                  We don’t force updates. We signal to WordPress than an update is available. Then, it’s displayed as a notification to the user, who can click on the update button. There is a discussion in WordPress core about making plugin updates automatic. Whatever they will decide will happen, but we don’t change that mechanism. Currently, in WordPress 4.1.1, WPML updates are available and require action to apply.

                  The manual download needs to be done ONCE. After you do this and register, you receive automated updates, as explained above. Some sites haven’t registered for automatic updates (like your sites now), so our FAQ explains how to do this registration and receive future updates automatically.

                  Does this help? If you are seeing anything different, please let us know.

                • jeffmcneill says:

                  You are wrong. (your message below, as the thread reply limit has been reached in terms of replies to replies). See this thread for more info: https://wpml.org/forums/topic/please-specify-a-way-to-disable-wpml-updates-beside-unregistering-the-site/

      • Leo says:

        Thanks Amir 🙂 Has the performance improvements been included yet? Appreciate the fact that exploits aren’t published, as some might not update their sites on time 🙂

        • Amir says:

          This update only handles the security issues. We had to push it without delay and didn’t want to bundle other changes which may cause new issues and require longer testing. Right now, we are back to WPML 3.2, which includes:

          * Fixes for corner cases
          * Better performance, especially around string translation
          * Connection to other translation services

          We’re doing our best to complete this together with WordPress 4.2, so that we don’t have to release another intermediary version for WP 4.2 changes.

  2. Rainer says:

    I have big trouble with my customer and his small onlineshop http://www.mr-verlag.de.
    But I hope the problem is fixed now.

    • Amir says:

      Could you tel us what the problem is, so we can help you? Best is to open a thread in our technical forum. After you do this, please paste the link here, so that I can follow up and see that it’s handled correctly.

    • Agnes Bury says:

      This is something that our support team is best fit to answer. Have you asked in our technical support forum? When you do that, please be sure to explain how you’re handling the e-commerce in your site (plugin / theme).

  3. Rainer says:

    … not fixed!

  4. Shane says:

    I tried the new WPML 3.1.9.2 update out on localhost (luckly) before updating on the production site http://kalao-design.com. This update breaks the site, leaving only a white screen!!! I had to manually, delete the plugin and reinstall WPML 3.1.8.6 to get it working again.

    • Amir says:

      Andrea, lead developer of WPML is handling this. If there’s still an unresolved problem, please start a new thread in our technical support forum. A WSOD can come from many things (including memory overflow, etc.). When you open a support thread, please be sure to enable error logging and tell us what you see in the PHP error log. This will immediately indicate the source of the problem and we can handle it.

      See here for how to enable error logging:
      http://wpml.org/documentation/support/debugging-wpml/

      If you create a support thread with this info, please add another message here with the link to that thread, so we can follow up closely.

  5. garyw-2 says:

    Any update on what the following 3 updates do?

    • Amir says:

      A series of fixes all revolving around cases of sites that have URLs with non-English characters. We’re sorry that it took several iterations to catch all these. Before SQL statements were escaped, everything worked fine, but could be potentially exploited (not so easily though). Escaping had its interactions with different server setups, so that opened a good number of corner cases that escaped our testing.

      The critical update was to 3.1.9. If your site uses non English characters in URLs, you may have some 404 errors instead of content, which the subsequent updates fix.

      Normally, this would not be our release process. Before updating WPML, we would run full QA that would find these problems. Since it was an urgent update (to respond in a timely manner to a security report), we didn’t want to delay for 3 weeks with the complete QA. For now, it appears that everyone is OK.

      Just for the record, the unfortunate bug with non-English URLs affected our sites too, so you’re not alone 🙂

  6. Hadorn says:

    Thanks for this statement, Amir. We did go through quite some trouble with this update on several client sites. Your post helps us to understand why you have released this update with such urgency. I agree with Rob though that more detailed information on the security issues would be very helpful.

    • Amir says:

      We’ll publish that more detailed information, as soon as we see that almost everyone updated their sites. The registration process in WPML allows us to see who’s using which version. I’m sending out reminder emails today encouraging everyone to update as soon as possible. When we see that almost all sites are up-to-date (hopefully, all), we will explain in more detail the security improvements.

  7. Demarteau says:

    Hi
    I’ve registered WPML since the beginning (December 1, 2014) and everything is going well
    I’m not able to find the update button in the update dashboard panel
    So how can I update without the risk to loose every translation
    Thanks for response

    • Amir says:

      When you go to Dashboard->Updates, you will find a button labelled ‘Check for updates’. Click on it, for WordPress to check available updates. WPML updates will only appear if you have registered WPML on your site. We explain the registration mechanism here:
      http://wpml.org/faq/install-wpml/

      You can register WPML on all your sites and sites that you build for your clients.

      Does this help?

  8. Ariel says:

    I’m running 2.3.4 — am I affected? Please don’t tell me to upgrade; I cannot afford yearly subscriptions.

  9. Jose Luis says:

    Having such expensive yearly subscriptions is the main reason why we changed to other translation plugins but expecting people to pay for upgrades to fix sever security issues should simply be illegal.

    When I bought your plugin I assumed no new features after subscription ended, but never that if the code was simply “faulty” you would just leave everyone stack on their own. This is a bad policy that will turn against you in the long term.

    • Amir says:

      Hi Jose,

      I understand that it’s frustrating to have to pay for updates because of a change that you didn’t ask for. We want to make sure that this update is accessible to as many people as possible. This is why we’ve established a drastic discount for expired accounts:
      https://wpml.org/2015/03/special-discount-for-expired-wpml-accounts-to-access-security-updates/

      The blog post also explains the rational behind it and how it works.

      • Jose Luis says:

        I understand what you’ve done, I simply don’t agree and find it unfair. This is not “a change I didn’t ask for”, is a serious vulnerability due to bad coding that you should take responsibility for as you do with our payments. There should be a patch or at least clear procedures on how to stop/fix it for any previous installation, who is affected, etc.

        After a few hundred sites hacked because of your plugin, you’re reputation will drastically change, I bet.

  10. Philippe says:

    Hi,

    It is still not fixed for me.

    It is still impossible to do the update.

    Any new update coming?

    Thank you,
    Philippe

    • Agnes Bury says:

      Hi Philippe, have you upgraded to the latest versions and your problem persists? If so, could you please report it in our support forum.

      • Philippe says:

        Hi Agnes,

        The problem is that I can upgrade to the last version. The upgrade does not work.
        I will report in the support forum.

        Thank you,
        Philippe

  11. Arnau Vazquez says:

    I was also pissed off when I heard you were only providing the security fix to existing customers, and others like me who had paid for several years would not. But just when I was going to delve into the code to patch the exploit myself I saw that you had released an upgrade for all previous customers. It is fair then to applaud your change of mind and support to existing but discontinued installations.

    Kudos to the team and please keep working on such an essential plugin.

    • Amir says:

      Thanks for the feedback. I’m glad to see that you’re taking the security updates and applying them to your sites. I hope that everyone does that.

  12. Davide says:

    I don’t quite understand how this works. I did your security update, (my subscription is expired) but still plugin system is asking for more updates, to the 3.1.9.6.

    because of this, wordfence is not happy, and read this as a security issue.

    In the backend of wordpress I have 2 required update, and the plugin have some manacing looking read writing, saying that i need get a subscription in order to update.

    this looks a bit forceful, and in my opinion it shouldn’t look like this.
    I should not have some red writing in the backend of my wordpress, after I’ve done aa security update, and your pluging should not ask for a subscription in that way, leaving my backend with 2 required update to your plugin.

    You’ve done a security update, thank you for that, however, it looks more like a manouvre to force people into pay again a subscription rather then a securoty update. that’s the way it looks to me, at least.

    it’s not a clean job.
    you could have offered the update as you did, without leaving this “read marks” in people backend. the security update should have been a complete script, not asking for more update to those who choose (for whatever reason) not to pay extra money to re-buy the software. Your subscription should have geared toward extra functionality, rather than a re-buy solution.

    I din’t like the way it has been put the whole thing.

    • Amir says:

      Clients with valid accounts get access to all of WPML updates and to our support.

      We released a free security-only update for WPML a few weeks back. This update addressed several security updates which could have opened your site to exploits. Paying client or not, we don’t want anyone’s site to be hacked due to older WPML versions.

      We keep developing WPML and producing new updates. Normally, our updates are not strictly meant to solve security problems. We provide updates with new features, bug fixes, compatibility with new WordPress versions and new features. These updates are only available to clients with valid accounts. WordPress shows you these updates, because they exist.

      If you don’t want to get new WPML versions, you can ignore these updates.

      If you upgraded from a very old WPML version, you only now see the new-version notices. This was included in WPML around two years ago. We thought that it’s better to notify about new versions directory to the WordPress admin, like most plugins do. Most people enjoy these notices, so they know when new versions are available.

      Of course, if you feel like our security upgrade isn’t a good idea for your site, you can always go back to the older versions.