In a serious case of insider threat, CyberScoop reported that the website of popular WordPress plugin WPML had a former employee exploit an old password and a hidden vulnerability the employee previously inserted into the site to gain access after leaving the company. The employee appeared to use his access to post a message on a website and spam the same message to WPML clients.
Ex-Employee Hacks WPML WordPress Plugin Site and Spams Users – BleepingComputer https://t.co/a3yJrd3AYl
— ExpertTheme (@experttheme01) January 23, 2019
WPML said the incident caused it to lose client data, forced it to rebuild its server from scratch and prompted it to reset all customers’ passwords. OnTheGoSystems said that the plugin itself was not vulnerable and that payment information had not been exposed.
We finished rebuilding our https://t.co/PNgrXNs87B site after it was hacked this weekend. Please, be sure to update your WPML account password and use a secure one. Again, the plugin was not compromised. Thanks for all the support messages and apologies for the whole situation.
— WPML (@wpml) January 21, 2019
Expert Comments Below:
Bill Evans, a VP at One Identity: