In a serious case of insider threat, CyberScoop reported that the website of popular WordPress plugin WPML had a former employee exploit an old password and a hidden vulnerability the employee previously inserted into the site to gain access after leaving the company. The employee appeared to use his access to post a message on a website and spam the same message to WPML clients.
Ex-Employee Hacks WPML WordPress Plugin Site and Spams Users – BleepingComputer https://t.co/a3yJrd3AYl
— ExpertTheme (@experttheme01) January 23, 2019
WPML said the incident caused it to lose client data, forced it to rebuild its server from scratch and prompted it to reset all customers’ passwords. OnTheGoSystems said that the plugin itself was not vulnerable and that payment information had not been exposed.
We finished rebuilding our https://t.co/PNgrXNs87B site after it was hacked this weekend. Please, be sure to update your WPML account password and use a secure one. Again, the plugin was not compromised. Thanks for all the support messages and apologies for the whole situation.
— WPML (@wpml) January 21, 2019
Expert Comments Below:
Bill Evans, a VP at One Identity:
“This is as much an issue with provisioning as it is with segregation of duties. Organisations need to ensure that users – which include both admins and developers – have the *right* access which means they have only the access they need to do their jobs – nothing more and nothing less. In the case of this developer, they likely had access to a privileged account password, a database password or an administrator password that was shared by many employees for the purpose of doing maintenance on critical systems. This is the latest incident that shows the importance of employing basic privileged access management practices — like using a password vault, modern session management, and behaviour analytics — so that there are no hidden “old passwords” lurking in the code or in DevOps configuration files that employees can use.”