WordPress Plugin WPML Unauthenticated Stored XSS
Description
The WPML (WordPress Multilingual) plugin versions up to 3.6.3 contain an unauthenticated stored cross-site scripting (XSS) vulnerability in the sitepress.class.php file. Attackers can exploit this vulnerability by injecting malicious HTML and JavaScript code through the locale_file_name_en POST parameter without requiring authentication. The injected code is stored in the WordPress database and executed when other users, including administrators, view the affected pages.
Remediation
Immediately upgrade the WPML plugin to version 3.6.4 or later, which addresses this vulnerability. To update the plugin:
1. Navigate to the WordPress admin dashboard
2. Go to Plugins > Installed Plugins
3. Locate WPML and click Update Now
4. Verify the update completed successfully by checking the version number
If automatic updates are not available, download the latest version from the official WPML website and install it manually. After updating, review site content and database entries for any suspicious or unauthorized modifications that may have occurred prior to patching. Consider implementing a Web Application Firewall (WAF) to provide additional protection against XSS attacks.