Last night the web site for the WordPress Multilingual Plugin (WPML) WordPress plugin was hacked and users of the plugin started receiving receiving emails stating that the plugin is filled with vulnerabilities. According to WPML, this was caused by a ex-employee who left a backdoor in their site.
WPML is a plugin that allows you to add multilingual support to WordPress and according to their site is used by 600,000 users.
In an email received by the plugin’s users titled “WPML Updates”, the hacker stated that the plugin contains numerous security vulnerabilities and that users should be tighten their security and possibly remove the plugin altogether.
Below is a brief excerpt from this email:
“You are seeing this because you are using WPML. You purchase WPML and installed it on one or more of your sites. Or maybe you jus plan to.
I did the same but only to get myself in a whole lot of troubles. WPML came with a bunch of ridiculous security holes which, despire my efforts to keep everything up to date, allowed the most important two of my websites to be hacked.”
In addition to mass-spamming all of the plugins users and contacts, the attacker also hacked the web site to include “Security Holes” as a feature of the product on its purchase page.
In a blog post by WPML developer Amir Helzer, the company explains that the hack and resulting spam emails were sent by an alleged ex-employee who left a backdoor in their site. Helzer went on to say that they have updated their site, rebuilt the code, and secured access to the admin account with 2FA.
“These are more precautions than actual response to the hack. Our data shows that the hacker used inside information (an old SSH password) and a hole that he left for himself while he was our employee.
This hack was not done via an exploit in WordPress, WPML or another plugin, but using this inside information. In any case, the damage is great and it’s done already.”
While Helzer stated that the WPML plugin is safe and does not contain any exploits and payment information was not compromised, the intruder does have user’s account information. Due to this they are suggesting that all users reset their password.
internetnewsblog has reached out to WPML for more questions, but had not heard back at the time of this publication.