Vulnerability Database

317,105

Total vulnerabilities in the database

CVE-2024-6386

The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via the Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

Published: Aug 21, 2024
Updated: Nov 16, 2025
CVE: CVE-2024-6386
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.9
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWEs:

CWE-94
CWE-1336

Affected Software
References

Software	From	Fixed in
wpml / wpml	-	4.6.13

https://sec.stealthcopter.com/wpml-rce-via-twig-ssti/
https://wpml.org/
https://www.wordfence.com/threat-intel/vulnerabilities/id/f7fc91cc-e529-4362-8269-bf7ee0766e1e?source=cve

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo