We just released WPML 4.5.14 with a minor security improvement.
A few weeks ago, we received reports about a security notice related to WPML. The notice displays only in the Plesk control panel and describes the issue as a «Cross-Site Request Forgery (CSRF) vulnerability». We’re grateful to everyone that reported this.
Update: after releasing WPML 4.5.14, we received reports from clients that it successfully fixes the related security notice in Plesk.
When this Vulnerability Appears
The issue is extremely unlikely to be exploited and happens only under very specific circumstances:
A user with admin permissions clicks on a malicious link from an external site using the same browser session/cookies
…and one of the following is also true:
Server is explicitly configured to allow Cross-Origin Resource Sharing (CORS) with the domain used by the attacker
The affected user is using a browser that neglects CORS settings or passes cookie information for requests without cross-origin policies
As far as we know, nobody actually configured their sites in this way and nobody was affected by this issue.
WPML 4.5.14 is out now and solves this issue.
The Importance of Security Reports
We are aware of the importance of security reports and we usually react immediately. This time, we got sidelined by the issues related to WordPress 6.1 so it took us a bit more than usual to respond.
We’re already improving our workflow to make sure even the smallest security reports are investigated, fixed, and released immediately.
How to Update to WPML 4.5.14
This release is being rolled out gradually. If you want to get it right now, you can check for the update manually. To do this, go to Plugins → Add New and click the Commercial tab. Then, click Check for updates.