WordPress MultiLingual Exploit

A Cybersecurity vulnerability once again made it to the headlines raising serious concerns about the safety of data in the digitalized generation that we live in.

Today, websites are read in thousands of languages across the world. WordPress, the popular Content Management System which allows us to create websites has a plugin for the very same. WPML or a WordPress multi-lingual plugin has been used by more than 600,000 websites to display its content in different languages.

This weekend, the popular WordPress plugin WPML (WP MultiLingual) which offers a variant language facility for WordPress users, was hacked creating much buzz in the cyber world.

The Exploit

After gaining access to the website through an old password and a hidden backdoor, the hacker defaced the website by posting a message that claimed that the WPML plugin was full of vulnerabilities and that its clients should check their websites for any possible compromises. Also, he sent the same message as a spam email to the WPML clients claiming that he was a security researcher who reported several vulnerabilities in the plugin to the WPML team, which were ignored by the developers.

It was alleged that an estranged ex-employee is at the bottom of the rubble. It is believed that the hidden backdoor used was inserted by the attacker while he was still employed at the company. On first impression, it looked like an attempt to deface the plugin. The hacker had sent emails to its customers criticizing the website for its lack of proper security offerings despite the considerable amount it charges. He urged the customers to unsubscribe the website and abetted them to ask for a refund from the owners. The email also had a link at the bottom for unsubscribing.

Response to the Attack from the WPML Team:

According to the WPML Developers:

  • WPML plugin running on the client’s site does not contain the exploit
  • Payment information of the client was not compromised as they didn’t store it
  • The intruder has the users’ names and email addresses. They may also have access to user accounts at WPML.org
  • The intruder stole the keys to the client’s site, but they are of no use. They allowed the site to get updates from wpml.org but he cannot make any changes to the site using them

Preventive Measures of the WPML team to the Attack:

The WPML Team has said that they have started building their data servers from scratch so that they could remove the backdoor and ensure that their clients’ accounts are protected.

In the sensational security breach that took place, we were forced to contemplate how safe is our data online? Analysing the damage from this attack, it was found that a humungous amount of data belonging to a large number of WPML plugin users on WordPress was left unsecured and on the mercy of the hacker, as confirmed by the WPML team afterwards. They said that their database containing customer names and email IDs were compromised by the hacker. Although, the team remained tight-lipped when asked about the possibility of the hacker logging in and accessing the sites of the users. They have also advised the users against opening any links sent with the mail as it could contain malware. For the time being, they have also requested users to login to the website only through the official web address.

WPML team has apologized and informed its users about the rebuilding of its site from scratch with an updated and enhanced security structure. The owner has also said that the company is planning to take legal action. Even though the company has affirmed and reaffirmed the finding and mending of the loopholes, the question remains: how safe is our data online?

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Rohan Roy

An IT engineer and a cyber security enthusiast, I research on bugs and flaws in Content Management Systems like Drupal and WordPress and discovering how to remove them.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close