Critical plugin flaw opens over a million WordPress sites to RCE attacks
- by nlqip
RCE through Twig SSTI
Twig server-side template injection (SSTI) is a type of security vulnerability that occurs when user input is improperly handled and directly inserted into a Twig template, a popular PHP templating engine. Remote code execution can be achieved when a web application allows the user (an attacker) to inject malicious payloads into the Twig template without proper sanitization or escaping.
“The vulnerability lies in the handling of shortcodes within the WPML plugin,” stealthcopter added. “Specifically, the plugin uses Twig templates for rendering content in shortcodes but fails to properly sanitize input, leading to server-side template injection (SSTI).”
Shortcodes in WordPress enable users to easily add dynamic content, such as galleries, forms, buttons, or custom content blocks, to posts, pages, or widgets without needing to write complex code.
Source link
lol
RCE through Twig SSTI Twig server-side template injection (SSTI) is a type of security vulnerability that occurs when user input is improperly handled and directly inserted into a Twig template, a popular PHP templating engine. Remote code execution can be achieved when a web application allows the user (an attacker) to inject malicious payloads into…
Recent Posts
- CISA warns of actively exploited Apache HugeGraph-Server bug
- Suspects behind $230 million cryptocurrency theft arrested in Miami
- Ivanti Says ‘Critical’ Cloud Gateway Vulnerability Seeing Exploitation
- Microsoft Edge will flag extensions causing performance issues
- Sophos CEO On How EDR Vendors, Microsoft Are ‘Rethinking’ Security After CrowdStrike Outage