On Saturday, January 19, WPML customers started reporting having received an email from someone who seems to have hacked the plugin’s website and gained access to customer information.
The hacker claims to be a disgruntled customer who had two websites hacked due to vulnerabilities in the WPML plugin:
WPML came with a bunch of ridiculous security holes which, despite my efforts to keep everything up to date, allowed the most important two of my websites to be hacked.
WPML exposed sensitive information to someone with very little coding skills but merely with access to the WPML code and some interest in seeing how easy is to break it.
I’m able to write this here because of the very same WPML flaws as this plugin is used on wpml.org too.
The hacker also claims to have exploited the same vulnerabilities in order to send the email to WPML’s customers and has published the same message to the plugin’s website. The text is still live at this time and product pages have also been defaced.
Defaced product features page, for example. pic.twitter.com/MWNZh6g1HQ
— Wordfence (@wordfence) January 20, 2019
The commercial multilingual plugin has been in business since 2009 and is active on more than 600,000 WordPress sites. It is a popular plugin for business sites in Europe, North America, Asia, and South America, especially those with a global audience. Customers are still waiting for an official explanation from WPML.
We contacted the company for comment but have not yet received a response. If you are using the plugin, you should deactivate it until the company pushes an update to patch the security vulnerabilities. This story is developing and we will publish new information as it becomes available.
Update from WPML founder Amir Helzer: “The customer is an ex-employee who left an exploit on the server (not WPML plugin) before leaving. Besides fixing the damage, we’ll also be taking legal actions.”