The WPML plugin for WordPress has a security vulnerability in all versions up to and including 4.6.12. This vulnerability is called Remote Code Execution and it happens because the plugin does not properly check and clean the code it uses to display templates. This means that someone who is logged in and has Contributor-level access or higher can run their own code on the website’s server.