+44 0330 223 3428
Call Us
+44 0330 223 3428

WPTavern: WPML Website Hacked, Customer Emails Compromised

WPTavern: WPML Website Hacked, Customer Emails Compromised

On Saturday, January 19, WPML customers started reporting having received an email from someone who seems to have hacked the plugin’s website and gained access to customer information.

The hacker claims to be a disgruntled customer who had two websites hacked due to vulnerabilities in the WPML plugin:

WPML came with a bunch of ridiculous security holes which, despite my efforts to keep everything up to date, allowed the most important two of my websites to be hacked.

WPML exposed sensitive information to someone with very little coding skills but merely with access to the WPML code and some interest in seeing how easy is to break it.

I’m able to write this here because of the very same WPML flaws as this plugin is used on wpml.org too.

The hacker also claims to have exploited the same vulnerabilities in order to send the email to WPML’s customers and has published the same message to the plugin’s website. The text is still live at this time and product pages have also been defaced.

The commercial multilingual plugin has been in business since 2009 and is active on more than 600,000 WordPress sites. It is a popular plugin for business sites in Europe, North America, Asia, and South America, especially those with a global audience. Customers are still waiting for an official explanation from WPML.

We contacted the company for comment but have not yet received a response. If you are using the plugin, you should deactivate it until the company pushes an update to patch the security vulnerabilities. This story is developing and we will publish new information as it becomes available.

Update from WPML founder Amir Helzer: “The customer is an ex-employee who left an exploit on the server (not WPML plugin) before leaving. Besides fixing the damage, we’ll also be taking legal actions.”


On Saturday, January 19, WPML customers started reporting having received an email from someone who seems to have hacked the plugin’s website and gained access to customer information. Got same mail and there is this text on #wpml website visible now. What happened guys? #security #hack #vulnerability #0day or something? #WordPress — Gytis Repečka (@gytisrepecka) January 19, 2019 The hacker claims to be a disgruntled customer who had two websites hacked due to vulnerabilities in the WPML plugin: WPML came with a bunch of ridiculous security holes which, despite my efforts to keep everything up to date, allowed the most…

Source: WordPress

Related Post
WPTavern: WPTracSearch: An Elasticsearch-Powered Search Interface for WordPress Trac Tickets

WPTavern: WPTracSearch: An Elasticsearch-Powered Search Interface for WordPress Trac Tickets WordPress Trac is one of the more utilitarian and uninspiring interfaces that many contributors have to contend with in the process of giving back to the project. After growing tired of Trac’s mediocre search functionality, William Earnhardt set out to improve it with a new […]

Read more
WPTavern: Tips for Replying to A Call for Papers or A Call for Speakers

WPTavern: Tips for Replying to A Call for Papers or A Call for Speakers The following is a guest post written by Jennifer Bourn. With 21 years experience as a graphic designer, 15 years experience as a web designer, 14 years as a creative agency owner, and 11 years as a blogger, Jennifer Bourn has […]

Read more
WPTavern: Storefront 2.5.0 Introduces a Custom, Block-Based Homepage

WPTavern: Storefront 2.5.0 Introduces a Custom, Block-Based Homepage Storefront, WooCommerce’s free flagship theme, has just released version 2.5.0 with updates that make it easier to setup and customize the homepage. In 2017, WooCommerce 2.2 introduced starter content to help users set up the homepage template, menus, widgets, and add some demo products. This content has […]

Read more