The company behind the widely-used WordPress plugin WPML has been through a tumultuous few days after many of its customers received an email this past weekend that purported to warn them about “a bunch of ridiculous security holes” in the plugin’s code.
Those vulnerabilities were said to have led to the compromise of two of the email sender’s sites, meaning that other websites using the plugin could also be at risk of exploitation. But as the plugin’s maker wrote shortly afterwards, the mass email had not been a well-intentioned warning of sorts.
Said WPML developer Amir Helzer: “Many of our clients received very distressing emails about an exploit on WPML plugin. This email was sent from an intruder who got into our site and used our mailer. Obviously, that message was not sent from us. If you received such an email, please delete it”.
And in a bit of an unexpected twist:
“Our data shows that the hacker used inside information (an old SSH password) and a hole that he left for himself while he was our employee. This hack was not done via an exploit in WordPress, WPML or another plugin, but using this inside information,” wrote Helzer, hinting at a case of ‘the enemy within’.
In other words, the incident is said to have been facilitated by a backdoor that the former employee is thought to have planted in the site before parting ways with the firm. The hacking spree also involved defacing the plugin’s website and posting a blog with the same warning as that in the email message.
All’s well that ends well?
We finished rebuilding our https://t.co/PNgrXNs87B site after it was hacked this weekend. Please, be sure to update your WPML account password and use a secure one. Again, the plugin was not compromised. Thanks for all the support messages and apologies for the whole situation.
— WPML (@wpml) January 21, 2019
As per Helzer’s post, the team behind WPML has “updated wpml.org, rebuilt everything and reinstalled everything”, as well as secured access to the admin interface with two-factor authentication (2FA). Helzer also stressed that the plugin itself was not vulnerable, as well as that customers’ payment information was not compromised, since the company doesn’t store it.
Having said that, he noted that the intruder made off with customer names and emails and may also have access to customers’ WPML accounts.
With that in mind, the users of the tool – which is intended to help create multilingual WordPress-powered websites – are recommended to reset their passwords on wpml.org, as well as possibly on other sites where they may use the same login credentials. Around 600,000 sites use the plugin.