Last week, we released WPML 4.6.13 and WooCommerce Multilingual 5.3.7 to patch a security issue reported by Wordfence. We want to share additional details about this fix and what it means to the security of your sites.
Timeline of Events
At WPML, security is our top priority, and we are committed to ensuring that your websites remain safe and secure. For this fix, we worked closely with Wordfence, one of the most respected names in the WordPress security community.
Wordfence contacted us about the WPML issue in July but unfortunately, the message ended up in the spam folder and went unnoticed for a bit. Thankfully, they sent us a follow-up email in August and we took it from there, patching the vulnerability immediately and providing Wordfence with a patched version for validation.
Being the great partners and experts they are, Wordfence reported another minor XSS vulnerability in the process which we immediately patched as well.
In the meantime, we also got a report from Patchstack about a similar vulnerability in WooCommerce Multilingual.
After getting a confirmation from them that the fix passed all validation, we released WPML 4.6.13 and WooCommerce 5.3.7 on August 20th.
Wordfence's Key Role
We'd like to use this opportunity to thank Wordfence for their great help with identifying and patching these vulnerabilities. The importance of their work for us and the whole WordPress ecosystem cannot be overstated.
Their diligence in following up on the initial report and their collaboration throughout the patching process is a testament to their commitment to the WordPress community.
How This Exploit Works and What It Means For You
Some online articles have described this issue as a "critical exploit" affecting over a million sites. While we completely agree that security is a serious matter, it's important to clarify exactly how this exploit works in real-world situations.
This vulnerability requires a bad actor to have editing privileges on a WordPress site. This means they need to have a Contributor or higher-level user role on the targeted site.
That being said, the severity comes down to what types of users you have on your site. If you and your team are the sole admins/writers/editors on the site, there's no one outside of you or your team that could exploit this vulnerability.
On the other hand, if you're running a site with users that have Contributor-level access and you don't know these persons personally, you might be more at risk.
Finally, we want to emphasize that at no point were the majority of WPML users at risk. The patch was developed, tested, and released in close collaboration with Wordfence, and the issue has been fully resolved.
As always, we highly recommend keeping WPML and WooCommerce Multilingual up-to-date on your sites.
In Case Of Any Concerns
For our users and partners who may have been concerned by the recent reports, we want to assure you that there is no cause for alarm. The issue was quickly and effectively resolved, and there is no evidence that it was exploited in the wild.
If you have any questions or concerns, please feel free to contact us.
We remain committed to the security of your websites and to our ongoing collaboration with Wordfence and other security experts.
Thank you for your continued trust in WPML,
WPML Team