Share This Post

News / Wordpress

Former employee hacks WPML WordPress plugin site to spam users

Former employee hacks WPML WordPress plugin site to spam users

A few hours ago, the website of popular WordPress plugin WPML (WordPress Multilingual Plugin) got hacked by an ex-employee who had left a backdoor in the site. After hacking, the attacker sent out a mass-mail to every user, stating that the plugin contains several vulnerabilities and warned them to not store any sensitive information on database.

WPML plugin is used to write content in multiple languages and translate content without any need of technical or programming skills. English, Spanish, French, German, Italian and Dutch are the most popular languages on WPML. As per their site, the plugin is currently used by more than 600K WordPress websites.

After hacking the WPML website, the attacker sent the following email to every user:

The attacker mentioned in the email that he is a frustrated user of the same plugin who got two of his websites hacked because of security holes in the plugin. Since the same plugin is used by WPML as well, he hacked their website to warn other users.

The attacker also published a blog post on WPML site with the same message that he had sent to users.

However, WPML wrote in a tweet that “Looks like an ex-employee backdoor”. The plugin creator also clarified that they double-checked the plugin, and assured users that there is no exploit. Since the plugin doesn’t store any payment information, there’re no chances of compromising it.

Also read: Plenty of plugins and PHP libraries disabling TLS validation, leaving sensitive data at risk

As of now, WPML has rebuilt its website and suggested the users to update their WPML account password and use a secure one.

Update: The title of this news has been updated with feedback from the WPML team. The readers are hereby informed that the plugin was not compromised or hacked and was/is safe to use. The attack was aimed specifically at WPML website.

Share This Post

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>