This weekend, users of the popular WordPress translation plugin WPML (also known as WordPress MultiLingual) received an email from a hacker claiming to expose serious security vulnerabilities in the software that allegedly put the customers’ own websites at risk.
In the mass email, sent from WPML’s own servers, the hacker claimed that two of his own websites had been breached due to “a bunch of ridiculous security holes” in WPML’s code. He went on to warn recipients that their own websites could be at risk.
I’m able to write this here because of the very same WPML flaws as this plugin is used on wpml.org too.
Please take this with the warm recommendation of triple-enforcing your security on websites where you use WPML if you must use it. Make frequent backups and monitor your websites closely. Do not leave sensible information laying around in the database or on the server. Use only WPML components and features that you really need. Or ask for your money back.
In a statement on its website, WPML acknowledged that it had been hacked and that it believed the perpetrator to be a former employee.
However, the company disputed the hacker’s claim that there were security holes in the WPML WordPress plugin, and instead claimed that the attacker had accessed its infrastructure by using an old SSH password and backdoor that he had left for himself whilst he worked for the firm.
Even if that’s true, there’s still cause for some concern. After all, if a hacker was able to mass-mail up to 600,000 customers from WPML’s own systems, it’s easy to imagine how a more maliciously-minded attacker might use the same capabilities to send out a phishing campaign or malicious links designed to infect users’ computers.
Another nightmare scenario would be if the widely-used plugin’s code was tampered with by an attacker, potentially putting thousands of other websites at risk of exploitation. WPML says that it has verified its plugin’s code has not been compromised.
However, WPML does admit that the alleged ex-employee did manage to steal the names and email addresses of customers, send an unauthorised email on WPML’s behalf, deface WPML’s online store, and publish a bogus blog post containing the same content as the email.
The company says that in response to the attack it has rebuilt its website and ensured that access to administrator accounts is now controlled by two-factor authentication (2FA). Furthermore, WPML says that it has “minimized the access that the web server has to the file system.”
WPML further underlined in its advisory that no payment information had been compromised, and that the popular WordPress plugin does not contain a vulnerability. Customers have been advised to reset their passwords.
From the sound of things, WPML may have a pretty strong idea of the identity of its hacker. One would anticipate, therefore, it is going to share their information with law enforcement so a proper investigation into the data breach can take place.