Popular WordPress Plugin WPML Hacked By Angry Former Employee

A very popular WordPress plugin was hacked over the weekend after a hacker defaced its website and sent a mass message to all its customers revealing the existence of supposed unpatched security holes. From a report: In a follow-up mass email, the plugin's developers blamed the hack on a former employee, who also defaced their website. The plugin in question is WPML (or WP MultiLingual), the most popular WordPress plugin for translating and serving WordPress sites in multiple languages. According to its website, WPML has over 600,000 paying customers and is one of the very few WordPress plugins that is so reputable that it doesn't need to advertise itself with a free version on the official WordPress.org plugins repository. But on Saturday, ET timezone, the plugin faced its first major security incident since its launch in 2007. The attacker, which the WPML team claims is a former employee, sent out a mass email to all the plugin's customers.

Security

If your security is so shitty that a *former* employee can deface your website, you basically don't have any security...

Re:Security

If your security is so shitty that a *former* employee can deface your website, you basically don't have any security...

This is what happens when your security team is a bunch of níggers promoted only because of affirmative action.

Re:Security

[Narcocide]

No, this is what happens after you lay them off because you thought they weren't doing anything.

Re:Security

They didn't lay off the black people.

Re:Security

no this is what happens after you lay off the lazy shits that knew of the hole and had no idea cause you hired with affirmative action

Re:Security

[Desler]

It's also a joke that in 2019 that WordPress has no notion of sandboxing plugins so that any security holes they do have could be reasonably contained. Why do they still allow plugins to be huge gaping security holes?

Re:Security

Because PHP is still a fractal of bad design.

Re:Security

You can bitch all you want about an insanely popular scripting language, it doesn't change the fact that people build amazing quality working applications with it, and a *lot* of them. Real devs ship. Fake devs spend their time bitching about toolsets.

The fun thing with Wordpress is that it auto-updates. It looks like in this instance the plugin itself wasn't hacked, just the website they use to manage it, however in the case that Wordpress gets hacked, within hours a large chunk of the world's websites will be pwned.

Re:Security

who the fuck needs qa engineers?

microsoft doesn't have any. the home user is the test pool.

Re:Security

[sproketboy]

A better question is why does garbage like WordPress still exist.

Re:Security

[ilsaloving]

Wordpress is a sloppily designed CMS written in the sloppily designed language PHP.

The entire architecture is so laughably bad that it's no surprise at all that they have to deal with security issues on an almost weekly basis. Wordpress is designed to be easy to get up and running. That's why it's popular. Security, maintenance and data workflow are all afterthoughts that need to be shoehorned in.

This situation is completely unavoidable. There is no facility in the language for supporting something as sophisticated as sandboxing. Furthermore, WPML is a deeply embedded plugin that is effectively one layer directly above the actual content. Even if sandboxing were possible, WPML would be very difficult to sandbox because of how deeply it sticks its fingers.

They didn't change passwords when he/she left?

The first thing that happens when an employee leaves (particularly someone who has access to files) is to CHANGE ALL THE PASSWORDS! DUH!

Re:They didn't change passwords when he/she left?

You see, that's your first mistake.
Having multiple passwords. Difficult to remember them all.

Unless you name you passwords like Rimuru names the Orcs, you'll have no change of remembering them.
So you write them down. Now, you can remember them but it's a security issue. But you can remember the
passwords. Where's the balance?

Answer :: Use a single password for everything. Easy to remember and secure since you don't write it down anywhere.
Easy-peasy.

You're welcome ...

CAP === 'inexact'

Re: They didn't change passwords when he/she left?

Oh fuck where do you kids get this shit? No!

You use MFA keyed back to a central system like Okta or AD or an RSA device or any number of things. When they leave you check the Disable User box and they are out.

Re:They didn't change passwords when he/she left?

[mattyj]

Yeah, I would hardly categorize this as a 'hack', and more like a company that knows nothing about how to handle terminations. The headline should read:

"Popular WordPress plugin WPML fails to properly off-board former employee, website defaced"

Wordpress got hacked????

What year is it, 2002, 2003, 2004... 3019? Every year this happens

Re: Wordpress got hacked????

I thought that it will end with n+1. I'm brainwashed.

Re:Wordpress got hacked????

They are just trying to catch up with Adobe...

Fox News is a pack of lies, sorry Narcocide

The fact-checks behind 'The Daily Show's' 50 Fox news 'lies'
By Lauren Carroll, Aaron Sharockman on Thursday, February 26th, 2015 at 3:00 p.m.
The Daily Show posted a Vine Wednesday titled, "50 Fox News lies in 6 seconds."
We’ve fact-checked almost all of the statements they cited. For the record, we originally counted 49 claims, not 50. The Daily Show said No. 50 was left off due to a technical error. They've updated their Vine, which we've included here.
* * *
1. "In July 2010 the government said small businesses -- 60 percent -- will lose their health care, 45 percent of big business and a large percentage of individual health." Sean Hannity, Nov. 11, 2013 False
* * *
2. "And President Obama has offered to pay out of his own pocket for the museum of Muslim culture out of his own pocket, yet it's the Republican National Committee who's paying for this." Anna Kooiman, Oct. 5, 2013 https://bit.ly/2W1wHzv
* * *
3. Labor union president Andy Stern is "the most frequent visitor" at the White House. Glenn Beck, Dec. 3, 2009 False
* * *
4. "Far more children died last year drowning in their bathtubs than were killed accidentally by guns." Tucker Carlson, Aug. 9, 2014 Pants on Fire
* * *
5. White House Political Director Patrick Gaspard once served as the "right-hand man" for Bertha Lewis, who heads up ACORN. Steve Doocy, Sept. 29, 2009 False
* * *
6. "Look at the debt that has been accumulated in the last two years. It's more debt under this president than all those other presidents combined."
Sarah Palin, May 31, 2011 False
* * *
7. "There is no good data showing secondhand smoke kills people." John Stossel, Dec. 4, 2014 False
* * *
8. "Democrats are poised now to cause this largest tax increase in U.S. history." Sarah Palin, Aug. 1, 2010 Pants on Fire
* * *
9. "The insurance industry is actually run by mostly Democrats." Dana Perino, Oct. 31, 2013 False
* * *
10. The Obama administration "manipulated deportation data to make it appear that the Border Patrol was deporting more illegal immigrants than the Bush administration." Lou Dobbs, July 1, 2014 False
* * *
11. Some doctors say Ebola can be transmitted through the air by "a sneeze or some cough." George Will, Oct. 19, 2014 False
* * *
12. Says the Texas State Board of Education is considering eliminating references to Christmas and the Constitution in textbooks. Gretchen Carlson, March 10, 2010 Pants on Fire
* * *
13. Because of President Barack Obama’s failure to "push job creation," the black unemployment rate in Ferguson, Mo., is three times higher than the white unemployment rate. Lou Dobbs, Aug. 19, 2014 False
* * *
14. When White House communications director Anita Dunn said that Mao Tse-tung was "one of her favorite philosophers, only Fox News picked that up."
Bill O’Reilly, Oct. 23, 2009 False
* * *
15. "The president of the United States will be taking a trip over to India that is expected to cost the taxpayers $200 million a day." Michele Bachmann, Nov. 3, 2010 False (Note: Bachmann’s claim was made on CNN, not Fox News but Glenn Beck made a similar claim on Fox)
* * *
16. "We researched to find out if anybody on Fox News had ever said you're going to jail if you don't buy health insurance. Nobody's ever said it." Bill O’Reilly, Oct. 27, 2010 Pants on Fire
* * *
17. "If you make more than $250,000 a year you only really take home about $125,000." Steve Doocy, July 11, 2012 False
* * *
18. A Census Bureau worker says he was told to skew information to bring the unemployment rate down "as we headed into an election season." Elisabeth Hasselbeck, Nov. 19, 2013 False
* * *
19. "Health care mandate will require imprisonment and fines for Americans who can’t afford to purchase insurance or pay hefty government penalties." Patients First, Sept. 21, 2009 Mostly False (Note: Fox hosts have said closely similar statements because of our research into Bill O’Reilly’s Pants on Fire claim -- No. 1

Re: The daily show is your news source? Oh my god

When a self styled left wing comedy show is your source of truth about the world... I just dont know what to say to that. You are simply too stupid to understand anything an adult might say in response.

Do you also think SNL is a news show?

Fact checked by a comedy show... and you eat this stuff up. -eye roll-

Re: The daily show is your news source? Oh my god

Do you have an actual rebuttal to the fact checking?

You got smoked by your own lies, deal with it fag.

The comedy show referenced the fake Fox News verbatim, it was fact checked and proven valid. When a comedy show OWNS FACTUALLY your "news" operation? YOU GOT SMOKED BY YOUR OWN LIES, MORON.

Deal with it snowflake.

Re: The daily show is your news source? Oh my god

Cool Fact: The Daily Show was originally a parody of network news. Being a show on the "Comedy Central" channel should be a give-away.

All the kids started watching it instead of "real" news and then it then evolved into an ultra-left hate-spouting alternate-news program.

Re: The daily show is your news source? Oh my god

If you hate being factually challenged and proven a liar constantly, one easy solution is to stop lying faggot Republicans. It's so simple even a GOP caveman can do it - or can you? I thought you could... maybe?

Let's see if you can go 3 minutes without lying, then we'll double it. If you Trumptards make it one full day without a single lie, you may even graduate back to society. But let's not get ahead of ourselves.

You are backing a traitor right now, that can't be easily repaired. He's literally Putin's dick cozy. Literally, Trump keeps Putin's cock warm for his livelihood and well-being ongoing. Mueller brings the thick rope soon though.

Rope doesn't lie, Republican traitors. Memba dat.

Enjoy your criminal record, idiot

[bigmacx]

Hope they get this idiot charged and release their name.

Every time one of these "inside" IT type persons does something against an employer by using their privileged access to their systems, it makes it more difficult for all of us to operate within our own companies. And don't try to fault me by the "ex-employee" logic. Any one of us knows full well we could fsck with a former employer's systems even if they think they've locked us out.

Those in our field that violate the trust placed in us by employers should be drawn and quartered, tarred and feathered. At they very least named and shamed.

Re:Enjoy your criminal record, idiot

His name is Christopher Dale Reimer.

Re:Enjoy your criminal record, idiot

Any one of us knows full well we could fsck with a former employer's systems even if they think they've locked us out.

Then you've done your job poorly.

Re:Enjoy your criminal record, idiot

Probably. Name one human being in all of history that has achieved 100% perfection in all of their endeavours?

Dismissing reality because it's not perfect is exactly why these sorts of things happen. Holes exist, former employees know about them. That is reality.

Re:Enjoy your criminal record, idiot

Those in our field that violate the trust placed in us by employers should be drawn and quartered, tarred and feathered. At they very least named and shamed.

Funny. A friend of mine does independent contracting and most of his jobs involve converting WordPress to "literally anything else".

Anyways you are being too lenient on this guy. As far as ex-employees go, some people want Snowden dead. Some people on the other hand know what word "every" means by the time they get a degree in Computer Science. Are you so sure this guy didn't do you a favor for the wrong reasons?

Re:Enjoy your criminal record, idiot

Or, you know, employers could treat their employees well and build loyalty. Crazy, I know.

Re:Enjoy your criminal record, idiot

I agree completely, but I think tarring and feathering should be done before being drawn and quartered.

Re:Enjoy your criminal record, idiot

[Errol+backfiring]

Please think of the horses. They shouldn't get tar and feathers on their skin.

Re:Enjoy your criminal record, idiot

Funny. A friend of mine does independent contracting and most of his jobs involve converting WordPress to "literally anything else".

Funny! My job involves turning "literally anything" into a wordpress site! Maybe we could team up?

Re:Enjoy your criminal record, idiot

No, the employee has limited responsibility in this case, even if an ex. Any employer that has holes that can be used by an ex-employee is already fscking their clients by relying on security through obscurity.

Re:Enjoy your criminal record, idiot

[ilsaloving]

Or, you know, employers could treat their employees well and build loyalty. Crazy, I know.

Why are you assuming they didn't? Some people are just assholes. If someone is willing to pull a stunt like this, I'm inclined to believe that they weren't a particularly good admin to begin with.

I'd like to see his proof reviewed by experts ...

[Qbertino]

... and then, if he's proven to be resonably right with his accusations, be let of the hook. It should be very easy to check the WPML codebase and the security holes he speaks of. And if they exist in the ways he says and are easyly exploited as he says I'd be willing to believe him more than I would believe the WPML team.
When it comes to WP Plugins WPML is one of the better ones but I've seen so much shit in the WP world that it wouldn't surprise me if WPML were borked in some amateurish manner as the man accuses them to be.

My 2 cents.

Yes, but where's the clickbait?

Gotta claim HAXX0RIN and HAX or people won't CLICK because that's the law of INTERTUBES CLICKBAIT.

Or maybe it's just idiot editors picking idiot stories to share.