VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 14 known issues Latest disclosed May 01, 2025

WPML Vulnerabilities

Review known vulnerability records for the WordPress plugin WPML (`sitepress-multilingual-cms`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2025-3488 and CVE-2024-6386, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
14
High or Critical
5
Patch Coverage
100%
Last Updated
May 02, 2025
Priority CVE Quick Links

Fast paths into WPML CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
12
CVE-2024-6386 Critical 4.6.13
CVE-2024-6386 WPML Remote Code Execution

WPML Multilingual CMS <= 4.6.12 - Authenticated (Contributor+) Remote Code Execution via Twig Server-Side Template Injection

CVE-2015-2314 Critical 3.1.9.1
CVE-2015-2314 WPML SQL Injection

WPML <= 3.1.9 - SQL Injection via lang Parameter

CVE-2020-10568 High 4.3.7
CVE-2020-10568 WPML Remote Code Execution

WPML < 4.3.7 - Cross-Site Request Forgery Bypass

CVE-2015-2791 High 3.1.9.1
CVE-2015-2791 WPML Vulnerability

WPML <= 3.1.9 - Arbitrary Deletion of Content

CVE-2018-18069 High 4.0
CVE-2018-18069 WPML Stored Cross-Site Scripting

WPML <= 3.6.3 - Unauthenticated Stored Cross-Site Scripting

CVE-2025-3488 Medium 4.7.4
CVE-2025-3488 WPML Stored Cross-Site Scripting

WPML Multilingual CMS 3.6.0 - 4.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpml_language_switcher Shortcode

CVE-2015-9416 Medium 3.2.7
CVE-2015-9416 WPML Cross-Site Scripting

WPML 2.9.3-3.2.6 - Cross-Site Scripting in Accept-Language Header

CVE-2015-2792 Medium 3.1.9.1
CVE-2015-2792 WPML Authorization Bypass

WPML < 3.1.8 - Authorization Bypass

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for WPML so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
14 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
2 critical and 3 high severity findings.
Recent CVEs
CVE-2025-3488 and CVE-2024-6386
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for WPML

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2025-3488
CVE-2025-3488: WPML Multilingual CMS 3.6.0 - 4.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpml_language_switcher Shortcode

The WPML plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpml_language_switcher shortcode in versions 3.6.0 - 4.7.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

Published
May 01, 2025
Patched Release
4.7.4
Affected Versions
3.6.0 through 4.7.3
Next Step
Update to 4.7.4 or newer if supported.
Open CVE-2025-3488 Report Open CVE Reference
Plugin Critical Patched: Yes CVE-2024-6386
CVE-2024-6386: WPML Multilingual CMS <= 4.6.12 - Authenticated (Contributor+) Remote Code Execution via Twig Server-Side Template Injection

The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated att...

Published
Aug 21, 2024
Patched Release
4.6.13
Affected Versions
Versions up to 4.6.12
Next Step
Update to 4.6.13 or newer if supported.
Open CVE-2024-6386 Report Open CVE Reference
Plugin Medium Patched: Yes
WPML <= 4.6.0 - Reflected Cross-Site Scripting via wp_lang

The WPML plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the wp_lang parameter in versions up to, and including, 4.6.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

Published
Apr 16, 2023
Patched Release
4.6.1
Affected Versions
Versions up to 4.6.0
Next Step
Update to 4.6.1 or newer if supported.
Open Full Report
Plugin Medium Patched: Yes CVE-2022-45071
CVE-2022-45071: WPML <= 4.5.13 - Cross-Site Request Forgery

The WPML plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.13. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to change the plugin settings via...

Published
Nov 09, 2022
Patched Release
4.5.14
Affected Versions
Versions up to 4.5.13
Next Step
Update to 4.5.14 or newer if supported.
Open CVE-2022-45071 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-38461
CVE-2022-38461: WPML <= 4.5.10 - Missing Authorization to Settings Change

The WPML plugin for WordPress is vulnerable to missing authorization checks in versions up to, and including, 4.5.10. This is due to improper access controls on authorization for user controls. This makes it possible for subscriber-level attackers to perform plugin settings chang...

Published
Nov 09, 2022
Patched Release
4.5.11
Affected Versions
Versions up to 4.5.10
Next Step
Update to 4.5.11 or newer if supported.
Open CVE-2022-38461 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-45072
CVE-2022-45072: WPML <= 4.5.13 - Cross-Site Request Forgery

The WPML plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.13. This is due to missing or incorrect nonce validation on an unspecified function. This makes it possible for unauthenticated attackers to enact the status change of...

Published
Nov 09, 2022
Patched Release
4.5.14
Affected Versions
Versions up to 4.5.13
Next Step
Update to 4.5.14 or newer if supported.
Open CVE-2022-45072 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-38974
CVE-2022-38974: WPML <= 4.5.10 - Missing Authorization to Translation Job Status Change

The WPML plugin for WordPress is vulnerable to missing authorization in versions up to, and including, 4.5.10. This is due to improper access controls on authentication for user controls. This makes it possible for subscriber-level attackers to perform status changes of translati...

Published
Nov 09, 2022
Patched Release
4.5.11
Affected Versions
Versions up to 4.5.10
Next Step
Update to 4.5.11 or newer if supported.
Open CVE-2022-38974 Report Open CVE Reference
Plugin Medium Patched: Yes
WPML <= 4.5.10 - Unprotected AJAX Actions

The WPML plugin for WordPress contains several AJAX actions that fail to perform capability checks or nonce checks. These allow authenticated users to set content defaults, update language settings for legacy widgets, and abort translations.

Published
Sep 26, 2022
Patched Release
4.5.11
Affected Versions
Versions up to 4.5.10
Next Step
Update to 4.5.11 or newer if supported.
Open Full Report
Plugin High Patched: Yes CVE-2020-10568
CVE-2020-10568: WPML < 4.3.7 - Cross-Site Request Forgery Bypass

The sitepress-multilingual-cms (WPML) plugin before 4.3.7 for WordPress has CSRF due to a loose comparison. This leads to remote code execution in includes/class-wp-installer.php via a series of requests that leverage unintended comparisons of integers to strings.

Published
Mar 09, 2020
Patched Release
4.3.7
Affected Versions
Versions before 4.3.7
Next Step
Update to 4.3.7 or newer if supported.
Open CVE-2020-10568 Report Open CVE Reference
Plugin High Patched: Yes CVE-2018-18069
CVE-2018-18069: WPML <= 3.6.3 - Unauthenticated Stored Cross-Site Scripting

process_forms in the WPML (aka sitepress-multilingual-cms) plugin through 3.6.3 for WordPress has XSS via any locale_file_name_ parameter (such as locale_file_name_en) in an unauthenticated theme-localization.php request to wp-admin/admin.php.

Published
Oct 08, 2018
Patched Release
4.0
Affected Versions
Versions up to 3.6.3
Next Step
Update to 4.0 or newer if supported.
Open CVE-2018-18069 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2015-9416
CVE-2015-9416: WPML 2.9.3-3.2.6 - Cross-Site Scripting in Accept-Language Header

The sitepress-multilingual-cms (WPML) plugin 2.9.3 to 3.2.6 for WordPress has XSS via the Accept-Language HTTP header.

Published
Sep 02, 2015
Patched Release
3.2.7
Affected Versions
2.9.3 through 3.2.6
Next Step
Update to 3.2.7 or newer if supported.
Open CVE-2015-9416 Report Open CVE Reference
Plugin Critical Patched: Yes CVE-2015-2314
CVE-2015-2314: WPML <= 3.1.9 - SQL Injection via lang Parameter

SQL injection vulnerability in the WPML plugin before 3.1.9.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the lang parameter in the HTTP Referer header in a wp-link-ajax action to comments/feed.

Published
Mar 10, 2015
Patched Release
3.1.9.1
Affected Versions
Versions up to 3.1.9
Next Step
Update to 3.1.9.1 or newer if supported.
Open CVE-2015-2314 Report Open CVE Reference