The website for a popular WordPress plugin was hacked over the weekend, when a former employee abused a previously implemented backdoor to take over the domain.
The impacted plugin is WPML (The WordPress Multilingual Plugin), paid software that helps authors write content in different languages and translate that content (pages, posts, custom types, taxonomy, menus, and even the theme’s texts). WPML is also compatible with other popular themes and plugins.
According to its developers, WPML is currently used by nearly 1 million sites.
Over the weekend, WPML faced a major security incident that impacted not only the developers’ website, which had to be rebuilt, but also customer data, when a former employee took over the website and stole customer data, including sitekeys.
The hacker also decided to send mass messages to WPML customers, supposedly to warn them of critical vulnerabilities in the plugin that could be exploited to fully compromise websites. He posted the message on WPML.org as well, but many users identified it as being the result of a hack.
The WPML team revealed the incident on Sunday, via Twitter, noting right from the start that the compromise appeared to be “an ex-employee backdoor” and also advising customers to change their passwords.
In a blog post published today, the developers confirm that the former employee was behind the attack and that customer data was indeed compromised in the incident.
“Our data shows that the hacker used inside information (an old SSH password) and a hole that he left for himself while he was our employee. This hack was not done via an exploit in WordPress, WPML or another plugin, but using this inside information,” the team says.
“Many of our clients received very distressing emails about an exploit on WPML plugin. This email was sent from an intruder who got into our site and used our mailer. Obviously, that message was not sent from us. If you received such an email, please delete it. Following links in hacked emails can cause additional problems,” the blog post reads.
The WPML team also underlines that the plugin does not contain the exploit the hacker used to compromise the WPML.org website, and that payment information wasn’t impacted either, as it is not stored on the site.
They also confirm that the hacker stole customer names and emails and that they might also have access to client accounts at WPML.org. The intruder also stole the sitekeys from WPML.org, but the team says “they are of no use,” since they are only used to push updates from wpml.org.
“We updated wpml.org, rebuilt everything and reinstalled everything. We secured access to the admin use 2-factor authentication and minimized the access that the web server has to the file system,” the plugin’s developers say.
The team once again advised users to reset their accounts in wpml.org and says they will likely take additional post-breach actions that users will be informed about in the next few days.
Related: WordPress to Warn on Outdated PHP Versions
Related: Hackers Exploit Flaw in GDPR Compliance Plugin for WordPress