Here's some strange news out of the WordPress plugin community this week. A popular WordPress multilingual plugin was hacked by a former employee who sent a mass email warning of security vulnerabilities.
The plugin — WPML (or WP MultiLingual) — is a massively popular (+600,000 active installations) paid plugin that's been a "staple" of the WordPress community for some time now.
So, let's dive in and dissect what's going on in the "World of WordPress" this week.
WPML allows users to translate their web pages across language channels, and it has been wildly successful — managing to snag over 600,000 purchases. Of course, when the middle tier option of the plugin runs $79.99, that's a massive accomplishment.
According to the WPML website:
"WPML is a plugin for WordPress. Simply put, plugins extend the functionality of the basic WordPress CMS. In this case, WPML makes WordPress run multilingual."
Things have been good for WPML, and during its 6-year run its managed to become a pillar of the WordPress community. Everything seemed to be good in WPML land. That is, until last week.
On Saturday (Jan 18th, 2018) users of the plugin were sent an unauthorized mass email. In the email, the attacker posed as a security researcher and claimed to have uncovered several critical vulnerabilities within the WPML framework. The attacker also mentioned that he owned several websites that ran WPML and they have been hacked due to the critical vulnerabilities contained within the plugin.
According to the email:
"WPML exposed sensitive information to someone with very little coding skills but merely with access to the WPML code and some interest in seeing how easy it is to break it"
The WPML team was quick to respond. In a quick series Twitter posts, the WPML team confirmed that the source of the attack was "likely an ex-employee" due to the backdoor/password combo that the attacker used and that the "attacker did not gain access to source code" (which is strange given that WPML's entire plugin is simply code.) At the same time, WPML admitted that the attack likely accessed customer names, emails, and password information, though they claim that no payment information was stolen.
The attack also defaced the WPML WordPress site with a similar message.
WMPL's team is adamant that none of these vulnerabilities exist, though they rebuilt their server from scratch in an attempt to destroy any remaining backdoors.
Here's what we know happened:
WPML — over 600,000 paid WordPress users — was hacked by an attacker who sent out a mass email warning of plugin vulnerabilities. The team quickly responded that the attack was likely an ex-employee. Customer names, emails, and passwords were stolen by the attacker (which he used to send the mass email). WPML rebuilt their server and claimed that no such vulnerabilities exist.
During this wild ride, we saw a ton of news outlets report on the fiasco. Interestingly, we saw the repeated sentiment that this was the first vulnerability within WPML. In fact, ZDNet claimed, "the plugin faced its first major security incident since its launch in 2007". So, we decided to see if this was true.
Spoiler alert: it's not.
In October 2016, the security team at Wrike found an SQL injection vulnerability — CVE 2015-2314. In March 2015, Jouko Pynnonen at Klikki Oy found an SQL injection vulnerability - CVE-2015-2315 In March 2015, Jouko Pynnonen also found a "menu sync" vulnerability that allowed attackers to remotely delete content - CVE-2015-2791 There are other vulnerabilities contained within that Klikki post, check them out here.
Of course, we're only looking at the vulnerabilities with a CVE, which is unreliable given that nearly 8,000 security vulnerabilities did not receive a CVE code in 2017 alone.
The point here is that it's not the first time that WPML has been vulnerable, a recurring theme for most WordPress themes and plugins.
Overall, the entire incident moved pretty fast — being wrapped up in a few days. There were a few headlines, but, for the most part, the company is being silent about what happens next.
When a userbase of over 600,000 paid customers have their passwords, emails, and names stolen, it's a big deal. So, the way that WPML approaches this security breach is going to be key.
Since they claim to know the source of the attack, we expect that legal action will be taken against the individual. But, we think that this entire fiasco highlights some important points.
The security state of WordPress is hinged to the rampant vulnerabilities in WordPress plugins. With the average WordPress website boasting quite a few plugins, security issues are pervasive in the community. After all, each plugin is another security hole, and users are forced to rely on multiple 3rd party vendors. If any of those vendors are compromised, users sites are at risk. The current ecosystem of security in the WordPress world is disappointing. It seems like users having their information stolen is now just "fair game," and most plugin devs simply send out a quick Twitter apology and move on to the next big thing. The security world of WordPress is "hush-hush." With a bulk of vulnerabilities simply not being classified as CVE, and many security teams and developers moving on issues in silence, users are left to wonder how their website or online store was compromised.
For now, the WPML vulnerability fiasco seems to be over. The damage is already done. As usual, these vulnerabilities simply end in webmasters taking the majority of the damage, while most plugins recover within days after a vulnerability. The current WordPress ecosystem quietly "lives" with vulnerabilities. It seems to be a daily occurrence, and the end doesn't seem to be in sight. Want to see what we mean? Check out how bad the situation is getting.
Are you tired of living in fear of vulnerabilities as a webmaster? Contact us.