Vulnerability Notification from WP Engine

This is the technical support forum for WPML - the multilingual WordPress plugin.

Everyone can read, but only WPML clients can post here. WPML team is replying on the forum 6 days per week, 22 hours per day.

This topic contains 1 reply, has 2 voices.

Assisted by: Mohamed Sayed.

Author	Posts
July 25, 2023 at 2:11 pm #14097179
sarahM-29	I received an email from WP Engine and wanted to share. Is there a fix in progress for this already? At WP Engine we take the security of your sites very seriously, and make every effort to keep our customers aware of any potential security risks. We are reaching out to you today because we identified your site is utilizing a vulnerable version of the WPML String Translation plugin. At this time, we are not seeing that the plugin author has released an update or patch for this vulnerability. WP Engine summary of the vulnerability: The plugin contains a vulnerability wherein unauthenticated visitors could inject SQL statements into WordPress. SQL injection could allow an attacker to gain control of your site. Original 3rd-party’s report on the vulnerability: Please note that questions related to this article should be directed to the 3rd-party researcher and not WP Engine: hidden link
July 25, 2023 at 6:38 pm #14098681
Mohamed Sayed	Hi there, Thanks for contacting WPML support. The fix for this issue was included in the latest version of the "String Translation" addon plugin (3.2.6) Please create a full backup of the database and website then update the WPML plugins to the latest version. Kind regards, Mohamed