Critical plugin flaw opens over a million WordPress sites to RCE attacks
RCE through Twig SSTI
Twig server-side template injection (SSTI) is a type of security vulnerability that occurs when user input is improperly handled and directly inserted into a Twig template, a popular PHP templating engine. Remote code execution can be achieved when a web application allows the user (an attacker) to inject malicious payloads into the Twig template without proper sanitization or escaping.
“The vulnerability lies in the handling of shortcodes within the WPML plugin,” stealthcopter added. “Specifically, the plugin uses Twig templates for rendering content in shortcodes but fails to properly sanitize input, leading to server-side template injection (SSTI).”
Shortcodes in WordPress enable users to easily add dynamic content, such as galleries, forms, buttons, or custom content blocks, to posts, pages, or widgets without needing to write complex code.