WordPress translation plugin provider WPML leaks hundreds of thousands of customer data

WPML is one of the most popular WordPress multilingual plugin.

Our security research team at WaspCloud has recently found a huge data breach.

Up to 5 Mio customer datasets have been leaked.

Details of Data Breach

WPML offers its customers the possibility to print their tax invoice after login to the customer portal.

The customer can view the invoice at an URL that ends like /?order=4711

As soon as you change the order ID in the browser bar you received the invoice of the selected order. There seems to be no check whether this invoice matched to the logged in customer or not.

We were able to view invoices starting at invoice number 220 000 (order date September 2013) up to 5 138 679 (order date December 2019). But not all invoices in this number range could have been viewed. It is still unclear, why most of the invoices were viewable and some weren’t.

Examples of customer invoices that were viewable included:

• Customer’s name
• Email address
• Company address (if applicable)
• VAT-ID (if applicable)
• Order details (kind of WPML subscription)
• Order date
• Payed price
• Payment method (like PayPal, 2Checkout, etc.)

Example invoice

Below is a invoice with customer details redacted by us:

Reactions

We found this data breach on December, 16th 2019.

It is important for us to validate a found data breach and to understand the impact before informing the affected parties. Therefore we extract and analyse a sample data set, which is deleted after completing the research.

In this particular case we were able to inform WPML already on the same day.

WPML reacted commendable and blocked the whole domain within a few hours.

Why we discovered the breach

We found this breach as a result of our security research activities.

Our research team is investigating for possible vulnerabilities around the clock to be able to give the best security advises to our clients.

As ethical hackers we feel obliged to notify the affected company if we discover deficiencies in their online security. This applies in particular if the company’s data protection violation contains such private information.

However, this ethics also means that we have a responsibility towards the public. WPML customers must be aware of a data breach that affects them.

About us

WaspCloud is a Cloud Security Research team.

We build custom-tailored security solutions for our clients and make the web more safe for all internet users.