Popular WordPress plugin WPML (or WP MultiLingual) is hacked
Hacker broke the website of the company and sent a mass email to all its customers, alleging unpatched security holes.
During the weekend, a very popular WordPress plugin was hacked after a hacker broke its website and sent a mass message to all its customers revealing the existence of alleged unpatched security holes.
In a follow-up mass email, the developers of the plugin blamed a former employee who also broke their website for the hack. The plugin in question is WPML (or WP MultiLingual), the most popular WordPress plugin for the multi-language translation and service of WordPress sites.
According to its website, WPML has more than 600,000 paying customers and is one of the very few WordPress plugins that is so reputable that it doesn’t have to advertise on the official WordPress.org repository with a free version of it. But the plugin faced its first major security incident since its launch in 2007 on Saturday, ET timezone.
— D34D (@drd34d) 19 January 2019
The attacker, claimed to be a former employee by the WPML team, sent a mass email to all customers of the plugin. In the email, the attacker claimed that he was a security researcher reporting several vulnerabilities to the ignored WPML team. The email[1, 2, 3, 4] urged customers to verify possible compromises on their sites.
However, the WPML team strongly contested these claims. Both on Twitter [1, 2] and in a mass email follow-up, the WPML team said that the hacker was a former employee who left a backdoor on its official website and used it to access its server and customer database.
WPML claims that the hacker used the website’s email addresses and customer names to send the mass email from the website database, but also used the backdoor to deface its website, leaving the email text as a blog post on its website [archived version].
Developers said that the former employee had no access to financial information because they did not store such details, but they did not rule that he could now log into the WPML.org accounts of customers as a result of compromising the site’s database.
This is a screenshot of the email WPML sent. Quite an amazing story. In many jurisdictions including the USA, this is jail time. So I find it quite incredible that an employee would leave a backdoor, use it to deface their site, steal their data and email all subscribers. https://t.co/ouI3gwuVGW
— Mark Maunder. (@mmaunder) 20 January 2019
The company says that it is now rebuilding its server from scratch to remove the backdoor and reset all passwords for the customer account. The WPML team also said that the hacker did not access its official plugin’s source code and did not push a malicious version to customer sites.
For further questions relating to the incident, the company and its management were not available. It is unclear whether the employee reported to the authorities at the time they wrote. If the company claims true, it is unlikely that the former employee will escape prison time.