🧹It's time for some spring cleaning! All researchers earn over 6.25x our normal bounty rates, through May 27th, 2024, when Wordfence handles responsible disclosure for our Spring Cleaning Bug Extravaganza! Learn more about our bug bounty program
Register as a researcher and submit your vulnerabilities today!

WPML

Wordfence Intelligence > Vulnerability Database > WordPress Plugins > WPML

Information

Software Type	Plugin
Software Slug	sitepress-multilingual-cms
Software Status	Active
Software Author	WPML
Software Website	www.wpml.org

12 Vulnerabilities

WPML <= 4.6.0 - Reflected Cross-Site Scripting via wp_lang

6.1

CVE ID Unknown

Apr 16, 2023

Researchers: Deepak kumar, 0xcharan

WPML <= 4.5.10 - Missing Authorization to Translation Job Status Change

4.3

CVE-2022-38974

Nov 9, 2022

Researcher: Dave Jong

WPML <= 4.5.13 - Cross-Site Request Forgery

4.3

CVE-2022-45071

Nov 9, 2022

Researcher: Dave Jong

WPML <= 4.5.13 - Cross-Site Request Forgery

4.3

CVE-2022-45072

Nov 9, 2022

Researcher: Dave Jong

WPML <= 4.5.10 - Missing Authorization to Settings Change

4.3

CVE-2022-38461

Nov 9, 2022

Researcher: Dave Jong

WPML <= 4.5.10 - Unprotected AJAX Actions

5.4

CVE ID Unknown

Sep 26, 2022

Researchers:

WPML < 4.3.7 - Cross-Site Request Forgery Bypass

8.8

CVE-2020-10568

Mar 9, 2020

Researcher: Gerard Arall

WPML <= 3.6.3 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2018-18069

Oct 8, 2018

Researchers:

WPML 2.9.3-3.2.6 - Cross-Site Scripting in Accept-Language Header

6.1

CVE-2015-9416

Sep 2, 2015

Researchers:

WPML <= 3.1.9 - SQL Injection via lang Parameter

9.8

CVE-2015-2314

Mar 10, 2015

Researcher: Jouko Pynnöne

WPML <= 3.1.9 - Arbitrary Deletion of Content

7.5

CVE-2015-2791

Mar 10, 2015

Researcher: Jouko Pynnöne

WPML < 3.1.8 - Authorization Bypass

5.4

CVE-2015-2792

Mar 2, 2015

Researcher: Jouko Pynnöne

Title	Status	CVE ID	CVSS	Researchers	Date
WPML <= 4.6.0 - Reflected Cross-Site Scripting via wp_lang	Patched		6.1	Deepak kumar, 0xcharan	April 16, 2023
WPML <= 4.5.10 - Missing Authorization to Translation Job Status Change	Patched	CVE-2022-38974	4.3	Dave Jong	November 9, 2022
WPML <= 4.5.13 - Cross-Site Request Forgery	Patched	CVE-2022-45071	4.3	Dave Jong	November 9, 2022
WPML <= 4.5.13 - Cross-Site Request Forgery	Patched	CVE-2022-45072	4.3	Dave Jong	November 9, 2022
WPML <= 4.5.10 - Missing Authorization to Settings Change	Patched	CVE-2022-38461	4.3	Dave Jong	November 9, 2022
WPML <= 4.5.10 - Unprotected AJAX Actions	Patched		5.4		September 26, 2022
WPML < 4.3.7 - Cross-Site Request Forgery Bypass	Patched	CVE-2020-10568	8.8	Gerard Arall	March 9, 2020
WPML <= 3.6.3 - Unauthenticated Stored Cross-Site Scripting	Patched	CVE-2018-18069	7.2		October 8, 2018
WPML 2.9.3-3.2.6 - Cross-Site Scripting in Accept-Language Header	Patched	CVE-2015-9416	6.1		September 2, 2015
WPML <= 3.1.9 - SQL Injection via lang Parameter	Patched	CVE-2015-2314	9.8	Jouko Pynnöne	March 10, 2015
WPML <= 3.1.9 - Arbitrary Deletion of Content	Patched	CVE-2015-2791	7.5	Jouko Pynnöne	March 10, 2015
WPML < 3.1.8 - Authorization Bypass	Patched	CVE-2015-2792	5.4	Jouko Pynnöne	March 2, 2015

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation