WordPress translation plugin provider WPML leaks hundreds of thousands of customer data
WPML is one of the most popular WordPress multilingual plugin.
Our security research team at WaspCloud has recently found a huge data breach.
Up to 5 Mio customer datasets have been leaked.
WPML offers its customers the possibility to print their tax invoice after login to the customer portal.
The customer can view the invoice at an URL that ends like /?order=4711
As soon as you change the order ID in the browser bar you received the invoice of the selected order. There seems to be no check whether this invoice matched to the logged in customer or not.
We were able to view invoices starting at invoice number 220 000 (order date September 2013) up to 5 138 679 (order date December 2019). But not all invoices in this number range could have been viewed. It is still unclear, why most of the invoices were viewable and some weren’t.
Examples of customer invoices that were viewable included:
Below is a invoice with customer details redacted by us:
We found this data breach on December, 16th 2019.
It is important for us to validate a found data breach and to understand the impact before informing the affected parties. Therefore we extract and analyse a sample data set, which is deleted after completing the research.
In this particular case we were able to inform WPML already on the same day.
WPML reacted commendable and blocked the whole domain within a few hours.
We found this breach as a result of our security research activities.
Our research team is investigating for possible vulnerabilities around the clock to be able to give the best security advises to our clients.
As ethical hackers we feel obliged to notify the affected company if we discover deficiencies in their online security. This applies in particular if the company’s data protection violation contains such private information.
However, this ethics also means that we have a responsibility towards the public. WPML customers must be aware of a data breach that affects them.
WaspCloud is a Cloud Security Research team.
We build custom-tailored security solutions for our clients and make the web more safe for all internet users.
Information contained on this page is provided by an independent third-party content provider. Frankly and this Site make no warranties or representations in connection therewith. If you are affiliated with this page and would like it removed please contact email@example.com