A popular WordPress plugin was hacked last weekend. A hacker defaced its website and sent a message to all its customers revealing the existence of supposedly unpatched security flaws. In another email, the plugin’s developers explained the hack as the work of a former employee, who also defaced their website.
The plugin in question is WPML (or WP MultiLingual), the most popular WordPress plugin for translating and offering WordPress sites in multiple languages. According to its website, WPML has over 600,000 paying customers and is one of the very few WordPress plugins whose reputation is such that it does not need to be listed with a free version on the official WordPress.org plugin repository.
But on Saturday the plugin experienced its first major security incident since its launch in 2007. The attacker, who the WPML team claims is a former employee, sent an email to all customers of the plugin. In the email, the attacker claimed to be a security researcher who had reported several vulnerabilities to the WPML team, which were reportedly ignored. The email invited customers to check their sites for possible vulnerabilities.
But the WPML team vigorously disputed these claims. Both on Twitter and in an email that followed the alleged revelations, the WPML team said the hacker is a former employee who left a backdoor in the system and used it to access the server and customer database.
WPML claims that the hacker used the email addresses and customer names he took from the website database to send the email, but also used the backdoor to defacing his website, leaving the email text on his site (archived version here).
WPML officials explain that the former employee did not have access to the company’s financial information, as they do not store such details, but they did not say whether he was able to log into customers’ WPML.org accounts due to a flaw in the site’s database.
Company officials explain that they are rebuilding their server from scratch to remove the backdoor and reset all customer account passwords as a precaution.
The WPML team also said that the hacker did not have access to the source code of its official plugin and did not push a malicious version to customer sites. The company and its management were not available to answer further questions about the incident.