Popular plugin developers
WordPress Multilingual (WPML) said they suffered an attack by a former employee. The dissatisfied ex-developer defaced the official website of his former company, and also sent letters to all users of the plugin, in which he spoke about the numerous security problems of WPML.
WPML is one of the most popular multilingual solutions for WordPress sites. According to official statistics, the plugin has been downloaded and installed over 600,000 times.
Over the weekend, plugin users received a strange mass mailing. In emails titled WPML Updates, an unknown person warned that users should immediately check their sites for compromise, as WPML is literally teeming with vulnerabilities that developers are aware of, but they prefer to ignore these problems. A copy of such a letter can be seen below.
FYI: someone hacked @wpml's website and sent this out to everyone pic.twitter.com/lMml23qUjD
— Ben Word (@retlehs)
January 19, 2019
WPML developers were quick to say, that this is not true, posting a retraction on the official Twitter and sending letters to users with an official statement. The company claims that the responsibility for mass mailing lies with a former employee who, before leaving, left a backdoor on the server and through it gained access to the customer base.
In addition to sending supposedly fake vulnerability reports, he also defaced the plugin's official website by posting the same message on the main page (an archived version of the page is available here), and the item “Security Holes” was added to the section with a description of the product's functions.
A photo Donnacha MacGloinn The company assures that the burglar did not have access to the financial data of clients, since the developers simply do not store such details, however, it is possible that now the former employee has access to any accounts on WPML.org if he is supposed to have compromised the site's database. It is also reported that the source code of the plugin was not affected, that is, there is no need to be afraid of malicious versions of WPML.
We're very sorry to report that our WEBSITE got hacked. Looks like an ex-employee backdoor. There is NO exploit in the WPML plugin we doublechecked. Payment information was NOT compromised as we don't store this information. We strongly advise changing your WPML account password.
— WPML (@wpml) January 20, 2019
Developers apologize to users and write that they have already rebuilt server from scratch to get rid of the backdoor for sure, and also decided to reset user passwords as a precautionary measure.
We're rebuilding the server from scratch, resetting all passwords and locking down everything. We'll write again once our site is secured again. Again, we're very sorry for having lost your name and email to this intruder. Besides fixing the site, we'll also take legal action.
— WPML (@wpml)