Former employee hacks WPML WordPress plugin site to spam users

1 Mins read

A few hours ago, the website of popular WordPress plugin WPML (WordPress Multilingual Plugin) got hacked by an ex-employee who had left a backdoor in the site. After hacking, the attacker sent out a mass-mail to every user, stating that the plugin contains several vulnerabilities and warned them to not store any sensitive information on database.

WPML plugin is used to write content in multiple languages and translate content without any need of technical or programming skills. English, Spanish, French, German, Italian and Dutch are the most popular languages on WPML. As per their site, the plugin is currently used by more than 600K WordPress websites.

After hacking the WPML website, the attacker sent the following email to every user:

The attacker mentioned in the email that he is a frustrated user of the same plugin who got two of his websites hacked because of security holes in the plugin. Since the same plugin is used by WPML as well, he hacked their website to warn other users.

The attacker also published a blog post on WPML site with the same message that he had sent to users.

However, WPML wrote in a tweet that “Looks like an ex-employee backdoor”. The plugin creator also clarified that they double-checked the plugin, and assured users that there is no exploit. Since the plugin doesn’t store any payment information, there’re no chances of compromising it.

Also read: Plenty of plugins and PHP libraries disabling TLS validation, leaving sensitive data at risk

As of now, WPML has rebuilt its website and suggested the users to update their WPML account password and use a secure one.

Update: The title of this news has been updated with feedback from the WPML team. The readers are hereby informed that the plugin was not compromised or hacked and was/is safe to use. The attack was aimed specifically at WPML website.

Leave a Reply

Your email address will not be published. Required fields are marked *

twenty − 11 =