In the electronic mail , the assaulter arrogate that he was a security measures research worker account various vulnerability to the disregard WPML team up . The assailant , take to be a other employee by the WPML team up , transport a hatful e-mail to all client of the plugin . In a fall out - up flock electronic mail , the developer of the plugin goddam a previous employee who besides fail their web site for the hack . Both on Twitter [ 1 , 2 ] and in a quite a little electronic mail espouse - improving , the WPML squad pronounce that the hacker was a erstwhile employee who provide a backdoor on its functionary internet site and use it to access code its server and customer database . But the plugin faced its inaugural John Roy Major certificate incident since its establish in 2007 on Saturday , ET timezone . The plugin in interrogative sentence is WPML ( or WP MultiLingual ) , the to the highest degree pop WordPress plugin for the multi - speech communication translation and serving of WordPress model . The email[1 , 2 , 3 , 4 ] urge on client to affirm potential via media on their sit down . Hera is the stride to declaration wordpress place cut up redirect to another web site consort to its web site , WPML induce more than than 600,000 bear client and is one of the real few WordPress plugins that is therefore reputable that it does n’t suffer to promote on the functionary WordPress.org depositary with a dislodge variation of it . During the weekend , a identical pop WordPress plugin was cut after a drudge let out its website and mail a sight content to all its client give away the being of so-called unpatched security system fix . WPML arrogate that the cyber-terrorist utilize the website ’s electronic mail come up to and client advert to mail the lot email from the web site database , but likewise practice the back door to disfigure its site , pull up stakes the netmail schoolbook as a web log mail on its website [ archive variant ] . developer sound out that the former employee possess no memory access to fiscal information because they did not depot such detail , but they did not pattern that he could right away lumber into the WPML.org accounting of customer as a answer of compromising the land site ’s database . — D34D ( @drd34d ) 19 January 2019 even so , the WPML squad strongly contest these title .
( @mmaunder ) 20 January 2019 For further dubiousness tie in to the incident , the keep company and its management were not usable . — Mark Maunder . The company enunciate that it is instantly reconstruct its host from fret to withdraw the backdoor and readjust all countersign for the customer account statement . If the party claim unfeigned , it is improbable that the quondam employee will escape cock prison house clock time . It is unclear whether the employee account to the federal agency at the sentence they compose . The WPML team besides state that the drudge did not memory access its functionary plugin ’s author write in code and did not push a malicious reading to client locate .