Former WPML employee hacks plugin website to spam customers

The website of popular WordPress plugin WPML has been restored after being hacked by a former employee, the plugin-maker OnTheGoSystems said Sunday.

WPML said the incident caused it to lose client data, forced it to rebuild its server from scratch and prompted it to reset all customers’ passwords. OnTheGoSystems said that the plugin itself was not vulnerable and that payment information had not been exposed.

WPML is a tool that WordPress users can purchase to run their websites in different languages. OnTheGoSystems says that more than 600,000 websites use the plugin.

“This hack was not done via an exploit in WordPress, WPML or another plugin, but using this inside information. In any case, the damage is great and it’s done already,” WPML founder Amir Helzer said in a blog post.

Helzer said a former employee exploited an old password and a hidden vulnerability the employee previously inserted into the site to gain access after leaving the company. The employee appeared to use his access to post a message on a website and spam the same message to WPML clients, Helzer said.

“WPML came with a bunch of ridiculous security holes which, despite my efforts to keep everything up to date, allowed the most important two of my websites to be hacked,” the message reads, according to a user comment on Helzer’s blog post. “Do not expect that if you’re charged for a piece of software, it means that is 100% hack proof. WPML is highly acclaimed but doesn’t prove itself.”

Helzer said that while the intruder stole keys to the WPML website, he can’t use them to affect other websites running the WPML plugin.

WPML tweeted that the company plans to take legal action as a result of the exploit.

“Of course, we all apologize for being responsible of this mess. Our team is available to help with anything that you need,” Helzer said.