Skip Navigation
7

We just released WPML 4.5.14 with a minor security improvement.

A few weeks ago, we received reports about a security notice related to WPML. The notice displays only in the Plesk control panel and describes the issue as a “Cross-Site Request Forgery (CSRF) vulnerability”. We’re grateful to everyone that reported this.

Update: after releasing WPML 4.5.14, we received reports from clients that it successfully fixes the related security notice in Plesk.

When this Vulnerability Appears

The issue is extremely unlikely to be exploited and happens only under very specific circumstances:

  • A user with admin permissions clicks on a malicious link from an external site using the same browser session/cookies

and one of the following is also true:

  • Server is explicitly configured to allow Cross-Origin Resource Sharing (CORS) with the domain used by the attacker
  • The affected user is using a browser that neglects CORS settings or passes cookie information for requests without cross-origin policies

As far as we know, nobody actually configured their sites in this way and nobody was affected by this issue.

WPML 4.5.14 is out now and solves this issue.

The Importance of Security Reports

We are aware of the importance of security reports and we usually react immediately. This time, we got sidelined by the issues related to WordPress 6.1 so it took us a bit more than usual to respond.

We’re already improving our workflow to make sure even the smallest security reports are investigated, fixed, and released immediately.

How to Update to WPML 4.5.14

This release is being rolled out gradually. If you want to get it right now, you can check for the update manually. To do this, go to PluginsAdd New and click the Commercial tab. Then, click Check for updates.

Checking for the WPML 4.5.14 update

You can also download it directly from your WPML account.

Thoughts, Feedback?

Use the comments below to let us know your thoughts on this release and we’ll reply.

7 Responses to “WPML 4.5.14 – Security Improvements”

  1. I’m very disappointed!
    The same bad usability during update of WP 6.1. WPML is not able to display new version as all other plugins (paid and free) in Pluging list. You have to click on Add New/Commercials and got the info, everything OK. Than you must search for new updates and after this 3 clicks, you normaly never do!, you have the chance to update this vulnerable Version. I can’t understand, that a plugin which is so long at the market, can’t do this better. I do maintenance for over 60 WP-installation and check this with Infinite WP, but didn’t get any notification about these important updates! And if I check after login, I have to go I have to go this cumbersome way. When will you change this?

    Gerd

    • Hi, Gerd! Please allow me to explain. We publish all WPML releases to clients gradually, in batches. For example, in the first week (or even more), only 1% of the sites see the update available directly on the Plugins page. Then, when we see there are no reported issues/side effects, we push it to more sites (10%, 20%, etc.). Finally, when we’re certain there are absolutely no issues, we push it to 100%. And THEN it appears directly on the Plugins page for everyone.

      So, why do we do this? It’s simple. WPML powers more than a million sites which are all configured differently and use different infrastructures and plugins. If we push a new release to more than a million of sites and it introduces only a smaller issue, it would be chaos. We know this because this is how it was in the past (some years ago) before we introduced the gradual roll-out.

      Also, it’s important to understand that in 99% of the releases, you shouldn’t worry about it, you shouldn’t update your sites before we send it your way. Just wait until it’s available to everyone and you should be set. The only reason why you should use the Add New > Commercial tab to get any release early is if you have an issue that this version explicitly fixes. If that’s not the case, it’s best to just wait until the release comes on its own.

      Finally, since you posted on the announcement for WPML 4.5.14… This is a super minor update, with a fix for a really minor security notice which is extremely unlikely to cause any issue with your sites. In other words, this is the perfect example of a release that you don’t have to get early. And I wrote this also in the announcement itself, I suggest simply waiting until we push it to 100% of sites.

      I hope this help explain our release process. It’s actually meant to protect your sites.

      P.S. In the coming days, we’re publishing an FAQ page about how WPML updates work where all of what I just wrote will be explained.

    • Hi, Ron! As per my previous reply to Gerd, a WPML release becomes visible to everyone from the Plugins page, AND from your Plesk panel, once we “push” it to 100% of clients. As our fix for this security notice was confirmed by Patchstack, we hope to release it to 100% this week.

      If you want this update even earlier (please note that this really is not a critical update), log into your site, go to Plugins > Add New and click the Commercial tab. Then, click the “Check for updates” button and click to update WPML to 4.5.14.

  2. Hello! I’ve recently updated the plugin to this release and just received the following from my host. Can you help me?

    “We are reaching out to you today because we identified your site(s), wpml1122, is (are) utilizing a vulnerable version of the WPML plugin.

    According to the author of this plugin, this issue has been patched in a recent update to the plugin.

    WP Engine summary of the vulnerability: This vulnerability allows an attacker to target privileged authenticated users with malicious links that make authenticated requests to WordPress on behalf of the user. An attacker could use this vulnerability to modify site configuration, including adding backdoors such as other WordPress administrators. Additionally, the software does not perform an authorization check when an actor attempts to access a resource or perform an action.

    Plugin Authors’ summary of the vulnerability and patch (changelog): Please note that questions related to this documentation should be directed to the plugin Author and not WP Engine: https://wordpress.org/plugins/sitepress-multilingual-cms/#developers

    Original 3rd-party’s report on the vulnerability: Please note that questions related to this article should be directed to the 3rd-party researcher and not WP Engine:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38461
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45072
    https://wpscan.com/vulnerability/8bf2529a-3fc3-47bb-959a-1f97bd6e4ec1
    https://wpscan.com/vulnerability/d4007060-aea1-4e69-bb3c-360cf2ee6e33

    To secure your site, please upgrade to the latest version of this plugin.”

    • Hi, Tom! Do I understand correctly that you updated WPML to the 4.5.14 version but WP Engine is still telling you that you need to update WPML? If that’s the case maybe it just takes a bit of time for WP Engine to see your site is running the latest version. Maybe there’s an update button/trigger that will make WP Engine’s panel rescan your site and see that you’re indeed running WPML 4.5.14?

Leave a Reply

Please stay on topic and be respectful to others. If you need help with issues not related to this post, use our Support Forum to start a chat or submit a ticket.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>