We just released WPML 4.7.3 with a security patch. The identified issue poses a low risk for most websites, but we strongly recommend upgrading your sites.
For security reasons, we can’t share the details of this fix, but it addresses a vulnerability that could expose sensitive information via shortcode injection.
How to Update
We released this version to all sites, and it should already be available.
To update, log into your site’s admin, go to the Plugins page, and click to update the WPML Multilingual CMS (core) plugin.
It can take up to 24 hours for an update to reach all sites. If you don’t see this update on your site, please check again a bit later.
How to Report Security Issues
Security is always our top priority, and we have a dedicated page for reporting such issues.
If you find a security issue in any WPML plugin, please report it through our security and vulnerability page.
Coming Next: WPML 4.7.4 with WordPress 6.8 Compatibility
WordPress 6.8 is scheduled for release on April 15th. We’re planning to release WPML 4.7.4 just before that.
As always, we’re making sure WPML 4.7.4 is fully compatible with the new version of WordPress.
Hello,
Please provide more details on the issue. It isn’t so easy to update websites. You have regularly some security issues. We need to understand if the issue is likely to happen or not at all so please provide more details about the scenario so that we can understand how urgent it is to update.
Hi Olivier, thank you for your comment. For security reasons, I cannot divulge too much but in general, this release fixes a vulnerability that could expose sensitive information via shortcode injection. I also updated this announcement to explain this.
Dario,
Please clarify if a user needs to have admin and post edit access to be able to exploit the website ? If not, then the update won’t be required for a lot of users.
Hi! This vulnerability requires guests/visitors, in other words people who are not logged into your site, to be able to run shortcodes. I hope this clarifies the issue.
Hi, Dario,
thank you for the reply (albeit it was not for me, I am glad as well).
Could you please clarify even further? As in:
1) Is the prerequisite that user/guest has to have shortcode injection capability (which most guests do NOT have in standard configurations) for this to be exploitable?
2) Or does this vulnerability now allow guests to execute shortcodes, which they previously could not have?
Thank you and I understand you cannot disclose too much, but I would be indeed at more peace if you could clarify between options 1 or 2 further.
With friendly regards,
Miro
Hi, Miro! The prerequisite is for the site to allow users/guests to execute shortcodes. Cases like this are extremely rare (and definitely not recommended for any site ever) which is why we classified this as a non-critical issue. However, we think it’s always best to stay up to date and with the latest release. Thank you!
Hi Dario,
thank you for the thorough reply. 👍
You’re right that this is not standard config (nor shall be, as that opens a whole new can of worms) on most sites.
Good to hear and thanks for responsible disclosure.
Keep up the good work, guys and cheers,
Miro
Thanks Miro! 🙂
The update failed and now I am unable to log in to WordPress.
Hi Cynthia, I’m really sorry to hear about this issue. The best is to contact our support and let our supporters take a look as there might be many reasons for this.
I recently had malware injected into my site via your last version. My site then started redirecting to a host of rather unpleasant site. Your help desk told me it was not your plugin but Hostiner confirmed it was and had to clean my site. I went to a previous version of your plugin. I trust this is why you have updated and I won’t have this problem again?
Hi Guy! I don’t know what kind of security issue exactly you faced but I checked and this release came from a report from another client.
I wanted to clarify something I think is very important: we take security extremely seriously and whenever there are issues on our side we move quickly and take full responsibility. And this is how security issues are supposed to be handled. So, if you reported an issue and our Support said it’s not on our side, this means our WPML Development Team looked into the issue and I can guarantee you 100% that what we told you is the truth. We would never deflect a security issue. I am also surprised that Hostinger told you that WPML is at fault but never contacted us about it because that would be the proper way to do it – if it was really our fault. Again, it wasn’t.
Feel free to share your ticket where you raised this issue and I’ll be happy to double-check this with both, our Support Manager and our WPML Team Lead.
I have updated to the latest version, and now I can’t translate. It just keeps loading all the time, the wheel is spinning, but nothing happens.
Apparently, more people are having this issue.
Hi, Frank! Please, if you haven’t yet, create a ticket in our Support Forum. This release fixed only that one security issue and none of the code related directly to the translation was touched. We need to look at your site and see what’s going on. Thank you!
Hi, again Frank! I just learned that there’s an issue with the Advanced Translation Editor and the developers are already working on fixing it. It’s not related to the release at all.
Hi, Frank! Just wanted to let you know that this issue was fixed yesterday afternoon. It was totally unrelated to the WPML 4.7.3 release.
I haven’t yet updated the plugin and since I received your email this morning announcing this new update I am unable to translate content in my website. It just goes in a loop forever “saying Preparing your content”
Hi! Thanks for your comment. Please, create a ticket in our Support Forum and let our supporters take a look. As you haven’t yet updated WPML to the latest version, the problem is somewhere else.
Hi, again! There appears to be an issue with the Advanced Translation Editor and the developers are already working on fixing it.
Hi again! Just to confirm that this issue is now fixed and you can translate your content as usual again. This issue was completely unrelated to WPML 4.7.3. Thanks for your understanding!
After updating I’m getting extreme latency on translation jobs. Is anyone else experiencing this?
Hi, Andre! The issue you and others are experiencing is not related to the WPML 4.7.3 update. Instead, I just learned that we’re having some issues with the Advanced Translation Editor (ATE) processing and the team is working on it right now.
Hello Dario,
Thanks for getting back to me. I really appreciate you keeping everyone in the loop. Can you provide potential estimates? Are there any workarounds in the meantime?
I’m sorry Andre, I really don’t know much more than that.
Hi again, Andre! Just to confirm that the issue was fixed yesterday afternoon and you should be able to translate your site as usual. Thank you for your patience!
Hello Dario – I updated to the latest WPML today. The update seems to have worked; however, I now get this prompt on my dashboard:
WPML Update is Incomplete
You are running updated sitepress-multilingual-cms, but the following component is not updated:
wpml-string-translation (required version: 3.3.0)
Your site will not work as it should in this configuration Please update all components which you are using. For WPML components you can receive updates from your WPML.org account or automatically, after you register WPML.
My site is registered – and I’m not seeing 3.3.0 as an option to upgrade to. Can you advise?
Thanks!
Hi, Jim! Yes, if you updated your site to WPML 4.7.3, you should definitely also update your site to the latest version of WPML String Translation – currently 3.3.2.
If you didn’t already, do this: Go to the Plugins page, click Add New and then click the Commercial tab. On this page, click to check for updates and then check if the list below offers the String Translation update for 3.3.2.
If this doesn’t help, try updating the plugin manually – download it from our Downloads page and upload it manually using the Plugins > Add New page.
If none of the above helps, please create a ticket in our support forum and our supporters will quickly help.
Yes, there is definitely a problem with translator as one German subpage isn’t existing anymore and there is no way to even re-translate it (not to have a German page when you have a lot of traffic there is killing). Hope your team fixes it asap. I opened a ticket but learned here that is a general problem, not related to the recent update
Hi, yes, there was an issue yesterday with an overload on our system. This was resolved and things are again fully operational!
But my German site is gone. Doesn’t connect. Additionally it always shows me that my working memory is 40MB. As I checked it wih my provider, it is much more than requested.
Hi, I’m sorry but I don’t understand what you mean. In any case, it sounds like you really need to contact our Support and let them investigate this issue. It could literally be anything, but I highly doubt it’s related to WPML 4.7.3.
Hi again and sorry, I missed the fact that you already created the ticket. Could you please share the link to it so I can understand what the issue is about? Thank you!
I contacted support (no answer after 2 day) and it exactly happened after the update. No coincidence? My German is site is most important these days and support isn’t reacting
Thanks, I’ve found your ticket (link) and will check with the Support Manager about its status.
Thx. If it is just bad luck I would retranslate the site, no problem. But even this is not possible (just shows me a fragment of the english version) and a status “in translation” in the dashboard
All my working memory is OK and now even the backoffice can’t be changed to English. Can I try an older version of WPML to see if that makes any difference?
Hi! Please work with our supporters on this issue, I have no access to the site and am not equipped to debug such issues. Thanks!
Do you have any indication on when this vulnerability was introduced / in what version so that we can decide if it’s appropriate to go back and update old dusty sites or not?
Hi David, it’s been there for at least 5 years. If your sites don’t allow visitors to execute shortcodes on the frontend (which is highly unrecommended in itself anyway), it should be fine.