The popular WordPress Multilingual plugin, WPML, which is installed on over 1,000,000 websites, has patched a Remote Code Execution (RCE) vulnerability (CVE-2024-6386) that researchers have classified as “Critical,” with a CVSS score of 9.9. Users are strongly advised to update their websites to the patched version, WPML 4.6.13. Security researcher Mat Rollings (stealthcopter) discovered and…
In this episode, John James Jacoby and I are joined by Morten Rand-Hendriksen and Rachel Cherry to discuss the WordPress Governance project. We discover why it was created, its goals, and how it aims to help govern the systems and processes that make up the WordPress project. Stories Discussed: WPML Alleges Former Employee Breached Website…
Over the weekend, many WPML customers received an unauthorized email from someone who claimed to have hacked the company’s website and gained access to customer emails. WPML founder Amir Helzer suspects that the attacker is a former employee. “The customer is an ex-employee who left an exploit on the server (not WPML plugin) before leaving.…
On Saturday, January 19, WPML customers started reporting having received an email from someone who seems to have hacked the plugin’s website and gained access to customer information. https://twitter.com/gytisrepecka/status/1086753453429481473 The hacker claims to be a disgruntled customer who had two websites hacked due to vulnerabilities in the WPML plugin: WPML came with a bunch of…
When WPML emailed new passwords to customers in plaintext, some customers thought it was due to a security breach. Amit Kvint, compatibility team leader for WPML, confirmed the emails are not a result of a security breach. In a post on the official WPML blog, Kvint says the emails were a preventive measure to insure…