Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Former Employee Hacks Popular WordPress Plugin’s Website

The website for a popular WordPress plugin was hacked over the weekend, when a former employee abused a previously implemented backdoor to take over the domain.

The website for a popular WordPress plugin was hacked over the weekend, when a former employee abused a previously implemented backdoor to take over the domain.

The impacted plugin is WPML (The WordPress Multilingual Plugin), paid software that helps authors write content in different languages and translate that content (pages, posts, custom types, taxonomy, menus, and even the theme’s texts). WPML is also compatible with other popular themes and plugins.

According to its developers, WPML is currently used by nearly 1 million sites. 

Over the weekend, WPML faced a major security incident that impacted not only the developers’ website, which had to be rebuilt, but also customer data, when a former employee took over the website and stole customer data, including sitekeys. 

The hacker also decided to send mass messages to WPML customers, supposedly to warn them of critical vulnerabilities in the plugin that could be exploited to fully compromise websites. He posted the message on WPML.org as well, but many users identified it as being the result of a hack. 

The WPML team revealed the incident on Sunday, via Twitter, noting right from the start that the compromise appeared to be “an ex-employee backdoor” and also advising customers to change their passwords. 

In a blog post published today, the developers confirm that the former employee was behind the attack and that customer data was indeed compromised in the incident. 

“Our data shows that the hacker used inside information (an old SSH password) and a hole that he left for himself while he was our employee. This hack was not done via an exploit in WordPress, WPML or another plugin, but using this inside information,” the team says. 

“Many of our clients received very distressing emails about an exploit on WPML plugin. This email was sent from an intruder who got into our site and used our mailer. Obviously, that message was not sent from us. If you received such an email, please delete it. Following links in hacked emails can cause additional problems,” the blog post reads. 

The WPML team also underlines that the plugin does not contain the exploit the hacker used to compromise the WPML.org website, and that payment information wasn’t impacted either, as it is not stored on the site. 

They also confirm that the hacker stole customer names and emails and that they might also have access to client accounts at WPML.org. The intruder also stole the sitekeys from WPML.org, but the team says “they are of no use,” since they are only used to push updates from wpml.org. 

“We updated wpml.org, rebuilt everything and reinstalled everything. We secured access to the admin use 2-factor authentication and minimized the access that the web server has to the file system,” the plugin’s developers say.

The team once again advised users to reset their accounts in wpml.org and says they will likely take additional post-breach actions that users will be informed about in the next few days. 

Related: WordPress to Warn on Outdated PHP Versions

Related: Hackers Exploit Flaw in GDPR Compliance Plugin for WordPress

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...