Popular WordPress Plugin WPML Hacked By Angry Former Employee (zdnet.com) 37
A very popular WordPress plugin was hacked over the weekend after a hacker defaced its website and sent a mass message to all its customers revealing the existence of supposed unpatched security holes. From a report: In a follow-up mass email, the plugin's developers blamed the hack on a former employee, who also defaced their website. The plugin in question is WPML (or WP MultiLingual), the most popular WordPress plugin for translating and serving WordPress sites in multiple languages. According to its website, WPML has over 600,000 paying customers and is one of the very few WordPress plugins that is so reputable that it doesn't need to advertise itself with a free version on the official WordPress.org plugins repository. But on Saturday, ET timezone, the plugin faced its first major security incident since its launch in 2007. The attacker, which the WPML team claims is a former employee, sent out a mass email to all the plugin's customers.
Re: (Score:2)
No, this is what happens after you lay them off because you thought they weren't doing anything.
Re: (Score:1)
Do you have an actual rebuttal to the fact checking?
Re:Security (Score:4, Informative)
It's also a joke that in 2019 that WordPress has no notion of sandboxing plugins so that any security holes they do have could be reasonably contained. Why do they still allow plugins to be huge gaping security holes?
Re: (Score:2)
A better question is why does garbage like WordPress still exist.
Re: (Score:2)
Wordpress is a sloppily designed CMS written in the sloppily designed language PHP.
The entire architecture is so laughably bad that it's no surprise at all that they have to deal with security issues on an almost weekly basis. Wordpress is designed to be easy to get up and running. That's why it's popular. Security, maintenance and data workflow are all afterthoughts that need to be shoehorned in.
This situation is completely unavoidable. There is no facility in the language for supporting something as s
Re: (Score:2)
Yeah, I would hardly categorize this as a 'hack', and more like a company that knows nothing about how to handle terminations. The headline should read:
"Popular WordPress plugin WPML fails to properly off-board former employee, website defaced"
Enjoy your criminal record, idiot (Score:5, Insightful)
Hope they get this idiot charged and release their name.
Every time one of these "inside" IT type persons does something against an employer by using their privileged access to their systems, it makes it more difficult for all of us to operate within our own companies. And don't try to fault me by the "ex-employee" logic. Any one of us knows full well we could fsck with a former employer's systems even if they think they've locked us out.
Those in our field that violate the trust placed in us by employers should be drawn and quartered, tarred and feathered. At they very least named and shamed.
Re: (Score:1)
Or, you know, employers could treat their employees well and build loyalty. Crazy, I know.
Re: (Score:3)
Or, you know, employers could treat their employees well and build loyalty. Crazy, I know.
Why are you assuming they didn't? Some people are just assholes. If someone is willing to pull a stunt like this, I'm inclined to believe that they weren't a particularly good admin to begin with.
Re: (Score:2)
I'd like to see his proof reviewed by experts ... (Score:2)
... and then, if he's proven to be resonably right with his accusations, be let of the hook. It should be very easy to check the WPML codebase and the security holes he speaks of. And if they exist in the ways he says and are easyly exploited as he says I'd be willing to believe him more than I would believe the WPML team.
When it comes to WP Plugins WPML is one of the better ones but I've seen so much shit in the WP world that it wouldn't surprise me if WPML were borked in some amateurish manner as the man