WPML (WP MultiLingual), the most popular WordPress plugin for translating and serving WordPress sites in multiple languages, has been hacked.
After vandalising the company’s website, the hacker went on to send out a mass email to the WPML’s 600,000-plus paying customers, alleging the existence of unpatched security holes.
Claiming to be a security researcher, the attacker said they had discovered and reported several security vulnerabilities that WPML has chosen to ignore. In the email, they urged customers to check their websites for possible compromises, and added an unsubscribe link.
WPML has responded to the incident by sending out a follow-up bulk email strongly refuting the claims and blaming the attack on a belligerent former employee.
Sneaky Backdoor to Blame
Company developers explained to customers that the malicious individual in question had left a backdoor on its official website and leveraged it to gain access to WPML’s server and customer database. They went on to say he had also used the same backdoor to mar the company’s website, leaving the email’s text as a blog post on its site.
The following text, now archived, was posted on WPML’s official blog by the hacker: “You’re seeing this because you are using WPML. You purchased WPML and installed it on one or more of your sites. Or maybe you jus [sic] plan to.
“I did the same but only to get myself in a whole lot of troubles [sic]. WPML came with a bunch of ridiculous security holes which, despite my efforts to keep everything up to date, allowed the most important two of my websites to be hacked.
“WPML exposed sensitive information to someone with very little coding skills but merely with access to the WPML code and some interest in seeing how easy is to break it.”
Since the company does not store its clients’ financial information, it was able to assure them that the hacker had not gained access to that information. The team also said the hacker had not gained access to the source code of its official plugin and had not pushed a malicious version to customers’ sites.
However, the developers could not rule out that the attacker could now log into customers’ WPML.org accounts as a result of compromising the site’s database.
This is the company’s first major security breach since its launch in 2007. WPML is now in the process of rebuilding its server from scratch to remove the backdoor and resetting all customer account passwords as a precaution.