WP MultiLingual plugin (WPML) was over the weekend hacked by the company’s former employee. The hacker also defaced the company’s website and sent a mass message to all its customers revealing the existence of supposed unpatched security holes. The WP MultiLingual plugin (WPML) is the most popular WordPress plugin for translating and serving WordPress sites in multiple languages.
The plugins have over 600,000 paying customers and very popular among website developers and owners. According to ET Timezone, the plugin faced a major security breach since its launch in 2007. The plugin developers blamed the hack on a former employee. The developer claimed that the hacker left a backdoor on its official website and used it to gain access to its server and its customer database.
WPML claims the hacker used the email addresses and customer names he took from the website’s database to send the mass email, but he also used the backdoor to deface its website, leaving the email’s text as a blog post on its site. It also noted that the hacker didn’t get access to financial information, as they don’t store this kind of details. WPML didn’t rule that he could now log into customers’ WPML.org accounts as a result of compromising the site’s database.
WPML also assured customers that the hacker didn’t gain access to the source code of its official plugin and did not push a malicious version to customers’ sites. The company is currently rebuilding its server from scratch to remove the backdoor and resetting all customer account passwords as a precaution.