WPML is a popular WordPress multilingual plugin with more than 600,000 paying customers. The plugin was hacked over the weekend after it saw its website defaced. The hacker also sent a mass email to all its customers letting them know of the unpatched security holes.
The hacker is said to be a former employee of WPML who claims to be a security researcher in the mass email. He also claimed that he has found several vulnerabilities in the plugin which he had reported to the WPML team. In the email, he has urged the customers to check their websites for security breaches.
Soon after the incident, the WPML team denied that they have anything to do with the emails that were sent by the hacker. The team clarified that the hacker got access to the customer names and their email addresses through the database which he managed to hack into. The hacker also managed to get his hands on the official website and left the fake email there as a blog post.
Read it here: WPML Warning
The team at WPML ensured that the hacker couldn’t get access to financial information because that information is not stored on the website. They, however, couldn’t rule out the possibility that the hacker can now have access to customer’s wpml.org accounts.
Many customers were concerned if the hacker had gotten access to the plugin’s source code. WPML’s team denied that the hacker doesn’t have the access to the source code and cannot, in fact, push malicious version to customers’ websites.
This was the first major security breach at WPML since its inception in 2007. To ensure no such incident takes place in the future, the team is now rebuilding the server and will reset customers account passwords.
The alleged hacker, who is claimed to be a former WPML employee, can potentially face jail time if the claims turn out to be true.