We just released WPML 4.5.14 with a minor security improvement.
A few weeks ago, we received reports about a security notice related to WPML. The notice displays only in the Plesk control panel and describes the issue as a “Cross-Site Request Forgery (CSRF) vulnerability”. We’re grateful to everyone that reported this.
Update: after releasing WPML 4.5.14, we received reports from clients that it successfully fixes the related security notice in Plesk.
When this Vulnerability Appears
The issue is extremely unlikely to be exploited and happens only under very specific circumstances:
A user with admin permissions clicks on a malicious link from an external site using the same browser session/cookies
…and one of the following is also true:
Server is explicitly configured to allow Cross-Origin Resource Sharing (CORS) with the domain used by the attacker
The affected user is using a browser that neglects CORS settings or passes cookie information for requests without cross-origin policies
As far as we know, nobody actually configured their sites in this way and nobody was affected by this issue.
WPML 4.5.14 is out now and solves this issue.
The Importance of Security Reports
We are aware of the importance of security reports and we usually react immediately. This time, we got sidelined by the issues related to WordPress 6.1 so it took us a bit more than usual to respond.
We’re already improving our workflow to make sure even the smallest security reports are investigated, fixed, and released immediately.
How to Update to WPML 4.5.14
This release is being rolled out gradually. If you want to get it right now, you can check for the update manually. To do this, go to Plugins → Add New and click the Commercial tab. Then, click Check for updates.
Checking for the WPML 4.5.14 update
You can also download it directly from your WPML account.
Thoughts, Feedback?
Use the comments below to let us know your thoughts on this release and we’ll reply.
11 Responses to “WPML 4.5.14 – Security Improvements”
I’m very disappointed!
The same bad usability during update of WP 6.1. WPML is not able to display new version as all other plugins (paid and free) in Pluging list. You have to click on Add New/Commercials and got the info, everything OK. Than you must search for new updates and after this 3 clicks, you normaly never do!, you have the chance to update this vulnerable Version. I can’t understand, that a plugin which is so long at the market, can’t do this better. I do maintenance for over 60 WP-installation and check this with Infinite WP, but didn’t get any notification about these important updates! And if I check after login, I have to go I have to go this cumbersome way. When will you change this?
Gerd
Hi, Gerd! Please allow me to explain. We publish all WPML releases to clients gradually, in batches. For example, in the first week (or even more), only 1% of the sites see the update available directly on the Plugins page. Then, when we see there are no reported issues/side effects, we push it to more sites (10%, 20%, etc.). Finally, when we’re certain there are absolutely no issues, we push it to 100%. And THEN it appears directly on the Plugins page for everyone.
So, why do we do this? It’s simple. WPML powers more than a million sites which are all configured differently and use different infrastructures and plugins. If we push a new release to more than a million of sites and it introduces only a smaller issue, it would be chaos. We know this because this is how it was in the past (some years ago) before we introduced the gradual roll-out.
Also, it’s important to understand that in 99% of the releases, you shouldn’t worry about it, you shouldn’t update your sites before we send it your way. Just wait until it’s available to everyone and you should be set. The only reason why you should use the Add New > Commercial tab to get any release early is if you have an issue that this version explicitly fixes. If that’s not the case, it’s best to just wait until the release comes on its own.
Finally, since you posted on the announcement for WPML 4.5.14… This is a super minor update, with a fix for a really minor security notice which is extremely unlikely to cause any issue with your sites. In other words, this is the perfect example of a release that you don’t have to get early. And I wrote this also in the announcement itself, I suggest simply waiting until we push it to 100% of sites.
I hope this help explain our release process. It’s actually meant to protect your sites.
P.S. In the coming days, we’re publishing an FAQ page about how WPML updates work where all of what I just wrote will be explained.
When will it be available via f.e. plesk servers to update the plugin?
It is stil nog available via this way so we can update it for our customers.
Hi, Ron! As per my previous reply to Gerd, a WPML release becomes visible to everyone from the Plugins page, AND from your Plesk panel, once we “push” it to 100% of clients. As our fix for this security notice was confirmed by Patchstack, we hope to release it to 100% this week.
If you want this update even earlier (please note that this really is not a critical update), log into your site, go to Plugins > Add New and click the Commercial tab. Then, click the “Check for updates” button and click to update WPML to 4.5.14.
Hi again, Ron! We just released WPML 4.5.14 to 100% of clients so you should be able to see it for all your sites.
Hello! I’ve recently updated the plugin to this release and just received the following from my host. Can you help me?
“We are reaching out to you today because we identified your site(s), wpml1122, is (are) utilizing a vulnerable version of the WPML plugin.
According to the author of this plugin, this issue has been patched in a recent update to the plugin.
WP Engine summary of the vulnerability: This vulnerability allows an attacker to target privileged authenticated users with malicious links that make authenticated requests to WordPress on behalf of the user. An attacker could use this vulnerability to modify site configuration, including adding backdoors such as other WordPress administrators. Additionally, the software does not perform an authorization check when an actor attempts to access a resource or perform an action.
To secure your site, please upgrade to the latest version of this plugin.”
Hi, Tom! Do I understand correctly that you updated WPML to the 4.5.14 version but WP Engine is still telling you that you need to update WPML? If that’s the case maybe it just takes a bit of time for WP Engine to see your site is running the latest version. Maybe there’s an update button/trigger that will make WP Engine’s panel rescan your site and see that you’re indeed running WPML 4.5.14?
Hi,
When WPML version 4.6 will be released?
Where we can find more information for new features, tweaks, fixes for this version?
Thanks,
Steve
Hi, Steve! We are finishing the development of WPML 4.6 this month and plan to release it in January.
There is currently no article that talks about the upcoming 4.6 release but we hope to release the beta for it before the holidays. The announcement for the beta will have all the major information.
I have recently faced issue with conflict between WP Forms and WPML, getting critical error when browsing WPform admin page.
Hi, Shahmir! Sorry to hear about your issue but I don’t understand how this relates to WPML 4.5.14?
I looked and there are only two issues reported for WPForms (link 1, link 2) but they’re not what you describe.
It’s best to report this using our official Support page. Our supporters can take a close look and see what causes this issue.
I’m very disappointed!
The same bad usability during update of WP 6.1. WPML is not able to display new version as all other plugins (paid and free) in Pluging list. You have to click on Add New/Commercials and got the info, everything OK. Than you must search for new updates and after this 3 clicks, you normaly never do!, you have the chance to update this vulnerable Version. I can’t understand, that a plugin which is so long at the market, can’t do this better. I do maintenance for over 60 WP-installation and check this with Infinite WP, but didn’t get any notification about these important updates! And if I check after login, I have to go I have to go this cumbersome way. When will you change this?
Gerd
Hi, Gerd! Please allow me to explain. We publish all WPML releases to clients gradually, in batches. For example, in the first week (or even more), only 1% of the sites see the update available directly on the Plugins page. Then, when we see there are no reported issues/side effects, we push it to more sites (10%, 20%, etc.). Finally, when we’re certain there are absolutely no issues, we push it to 100%. And THEN it appears directly on the Plugins page for everyone.
So, why do we do this? It’s simple. WPML powers more than a million sites which are all configured differently and use different infrastructures and plugins. If we push a new release to more than a million of sites and it introduces only a smaller issue, it would be chaos. We know this because this is how it was in the past (some years ago) before we introduced the gradual roll-out.
Also, it’s important to understand that in 99% of the releases, you shouldn’t worry about it, you shouldn’t update your sites before we send it your way. Just wait until it’s available to everyone and you should be set. The only reason why you should use the Add New > Commercial tab to get any release early is if you have an issue that this version explicitly fixes. If that’s not the case, it’s best to just wait until the release comes on its own.
Finally, since you posted on the announcement for WPML 4.5.14… This is a super minor update, with a fix for a really minor security notice which is extremely unlikely to cause any issue with your sites. In other words, this is the perfect example of a release that you don’t have to get early. And I wrote this also in the announcement itself, I suggest simply waiting until we push it to 100% of sites.
I hope this help explain our release process. It’s actually meant to protect your sites.
P.S. In the coming days, we’re publishing an FAQ page about how WPML updates work where all of what I just wrote will be explained.
When will it be available via f.e. plesk servers to update the plugin?
It is stil nog available via this way so we can update it for our customers.
Hi, Ron! As per my previous reply to Gerd, a WPML release becomes visible to everyone from the Plugins page, AND from your Plesk panel, once we “push” it to 100% of clients. As our fix for this security notice was confirmed by Patchstack, we hope to release it to 100% this week.
If you want this update even earlier (please note that this really is not a critical update), log into your site, go to Plugins > Add New and click the Commercial tab. Then, click the “Check for updates” button and click to update WPML to 4.5.14.
Hi again, Ron! We just released WPML 4.5.14 to 100% of clients so you should be able to see it for all your sites.
Hello! I’ve recently updated the plugin to this release and just received the following from my host. Can you help me?
“We are reaching out to you today because we identified your site(s), wpml1122, is (are) utilizing a vulnerable version of the WPML plugin.
According to the author of this plugin, this issue has been patched in a recent update to the plugin.
WP Engine summary of the vulnerability: This vulnerability allows an attacker to target privileged authenticated users with malicious links that make authenticated requests to WordPress on behalf of the user. An attacker could use this vulnerability to modify site configuration, including adding backdoors such as other WordPress administrators. Additionally, the software does not perform an authorization check when an actor attempts to access a resource or perform an action.
Plugin Authors’ summary of the vulnerability and patch (changelog): Please note that questions related to this documentation should be directed to the plugin Author and not WP Engine: https://wordpress.org/plugins/sitepress-multilingual-cms/#developers
Original 3rd-party’s report on the vulnerability: Please note that questions related to this article should be directed to the 3rd-party researcher and not WP Engine:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38461
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45072
https://wpscan.com/vulnerability/8bf2529a-3fc3-47bb-959a-1f97bd6e4ec1
https://wpscan.com/vulnerability/d4007060-aea1-4e69-bb3c-360cf2ee6e33
To secure your site, please upgrade to the latest version of this plugin.”
Hi, Tom! Do I understand correctly that you updated WPML to the 4.5.14 version but WP Engine is still telling you that you need to update WPML? If that’s the case maybe it just takes a bit of time for WP Engine to see your site is running the latest version. Maybe there’s an update button/trigger that will make WP Engine’s panel rescan your site and see that you’re indeed running WPML 4.5.14?
Hi,
When WPML version 4.6 will be released?
Where we can find more information for new features, tweaks, fixes for this version?
Thanks,
Steve
Hi, Steve! We are finishing the development of WPML 4.6 this month and plan to release it in January.
There is currently no article that talks about the upcoming 4.6 release but we hope to release the beta for it before the holidays. The announcement for the beta will have all the major information.
I have recently faced issue with conflict between WP Forms and WPML, getting critical error when browsing WPform admin page.
Hi, Shahmir! Sorry to hear about your issue but I don’t understand how this relates to WPML 4.5.14?
I looked and there are only two issues reported for WPForms (link 1, link 2) but they’re not what you describe.
It’s best to report this using our official Support page. Our supporters can take a close look and see what causes this issue.