Resolved
Reported for: WPML Multilingual CMS 4.5.13
Resolved in: WPML 4.5.14
Overview of the issue
With WPML 4.5.x, you may get a report from Plesk or cPanel about a “Cross-Site Request Forgery (CSRF) vulnerability.”
The issue was fixed in WPML 4.5.14, and the notice will be removed once the Patchstack security issues database updates.
Workaround
We just released WPML 4.5.14 which should solve this issue. You can find more information about this version here.
I got this today. WP broke completely, How to roll back to the previous version? or just wait?
Updating String translation to the latest version seemed to help get back to normal.
Hello there,
I’m glad that updating your WPML helped. Actually your situation is not related to the issue here reported but to WordPress 6.1.
You can find more information about it in this link
https://wpml.org/changelog/2022/10/wpml-4-5-12-updates-for-wordpress-6-1/.
Have a nice day!
Hi,
Wordfence installed on my site found Critical Problems:
* The Plugin “WPML Multilingual CMS” has a security vulnerability.
CVE-2022-45071
and I recommend that you remove or uninstall the plugin until the problem is corrected
Thank you for your report, Antonio, we are aware of its importance and we are working on it to provide a fix as soon as possible. That’s why we just released a beta version including a fix for it.
I have the problem too. Are our sites with WPML at risk? What is the next step? Thanks
Hey Arben,
We just published yesterday a new WPML 4.5.14 beta version which solves this issue and we are planning to release a estable version soon.
You can find more information about it here:
https://wpml.org/changelog/2022/11/wpml-4-5-14-security-improvements/
Regards
Wanted to add a note: After updating to the beta version of WPML 4.5.14 I noticed that it automatically also updated the ACFML plugin to 2.0 Beta. I haven’t seen any issues yet, on any of the sites, but this is a major re-write of the ACFML plug I understand.
I am nervously waiting for the final release and for instructions on any breaking changes.
Daveed
Hello Daveed,
You are totally right, the new ACFML beta is an important rewrite. You can manually install our latest stable version from this link:
https://wpml.org/account/downloads/
Regarding WPML 4.5.14, we hope to have a stable version really soon.
Thank you for your understanding.
Regards
Hi,
Same problem here:
* The Plugin “WPML Multilingual CMS” has a security vulnerability.
CVE-2022-45071
Do you recommend updating to the WPML 4.5.14 beta version? How can I protect my sites at this moment? This is obviously a very serious issue. In the latest weeks I’ve encountered a lot of compatibility issues and breaks on my sites, all of them due to WPML.
Hello there,
We understand your concern, that’s why we had a quick fix shipped with our beta version.
We are planning to release a stable version soon, but the beta is safe to go.
Regards
Hello everyone,
We just release a estable version of WPML 4.5.14 which should address this issue.
Thank you all!
I’m getting a warning for this on 4.5.14 as well.
Thank you for your report Markus, however I’m unable to reproduce it. Could you please open a new chat so we can investigate it?
WPML plugin is giving the following issue:
“The WPML plugin is unable to connect to wpml.org.
To check for new versions and security updates, WPML must connect to its server. Something in the network or security settings prevents this. To remove this warning, allow outbound communication to wpml.org.”
Please advise how to solve this.
Best regards,
Raffaella
Hello Raffaella,
This issue is not related to the issue here described. I recommend you to check this other link and follow those recommendations:
https://wpml.org/errata/cant-connect-to-the-translation-editor-or-stuck-translation-jobs/
And if the issue persists, please open a ticket in our support forum.
Regards
I’m also getting a warning for this on 4.5.14 as well.
Thank you Mike, yes we just updated the erratum and the notice will be removed once the Patchstack security issues database updates.
However is safe to go with WPML 4.5.14.
Cheers!
Hi Even with the new version 4.5.14 I get this security warning:
Plugin Name: WPML Multilingual CMS
Current Plugin Version: 4.5.14
Details: To protect your site from this vulnerability, the safest option is to deactivate and completely remove “WPML Multilingual CMS” until a patched version is available. Get more information.(opens in new tab)
Vulnerability Information: https://www.cve.org/CVERecord?id=CVE-2022-45071
Hey there,
This issue is already fixed with WPML 4.5.14 and the notice will be removed once the Patchstack security issues database updates.
Regards
The security issue still exists in Wordfence notification after updating WPML to version 4.5.15.
What should I do to avoid this security issue?
Hey there,
This issue is already fixed with WPML 4.5.14 and the notice will be removed once the Patchstack security issues database updates.
Regards
Hi everybody,
I need to update your plugin to the 4.5.14 version, but the notice in the WordPress back end did not show up, even though the previous warning about the site not being linked to WPML is gone.
I wish to fix it as soon as possible. Please advise.
Thank you,
Raffaella
Hello Raffaella,
If you are not receiving yet the possibility to update your WPML, please try the following:
https://wpml.org/faq/install-wpml/#checking-for-updates
Otherwise, you can also update it manually as explained here:
https://wpml.org/faq/updating-wpml-manually/
If you still can’t update it, don’t hesitate to open a ticket in our support forum where our team will be able to help you better.
Regards
Hi there,
Following your instructions, I was able to reconnect the automatic updates and install the 4.5.14 update. However, the error in Plesk persists. It does not seem to detect the fact that the update has occurred. I await your new info. Regards, Raffaella
Hello Raffaella,
I’m glad to know that you were able to upgrade your WPML and solve this vulnerability issue. This message should disappear soon and depends on how long Plesk takes to upgrade its database. Have you tried to contact your hosting provider?
If that’s the case and the alert remains, don’t hesitate to open a ticket in our support forum.
Regards