A WordPress Plugin Vulnerability Could be the Reason Behind Panama Leaks

Mossack Fonseca, the law firm at the center of the Panama Leaks scandal, could have been hacked through outdated versions of WordPress and Drupal, according to analysis by the team behind Wordfence, a security plugin for WordPress

Significant security holes in both CMS platforms, which were being used to power the front end site and a customer portal, could have resulted in the leak that’s shined a harsh light on the wealth of the 1%.

Out of Date CMS and a Vulnerable Plugin:

The law firm’s front end site was using a WordPress plugin that is vulnerable to attack and can provide shell access on the server to a hacker  Revolution Slider, the affected plugin, is one of the most common WordPress security vulnerabilities.

A working exploit for Revolution Slider was posted back in October, 2014. Since then, any hacker with enough time on his hands can exploit sites that use the outdated insecure plugin. The working theory is that the hackers found out that Mossack Fonseca were vulnerable via automated robots that routinely check for the plugin invulnerability. Once it was logged as a possible target, the hackers probably rubbed their hands in glee at the unexpected stupidity of storing sensitive data on the same server as web content.

Mossack Fonseca’s WordPress and Drupal installs were out of date by 3 months and 2 years respectively

That’s not all. The firm’s Drupal portal for customers submitting sensitive business information was also out of date by a staggering 2 years. What’s even worse is that Drupal 7 was termed critically vulnerable  and experts recommended an immediate upgrade in a later relase. At the time, the Drupal Security Team said, “You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC; that is, seven hours after the announcement.”.

So it’s possible that the company’s Drupal site was backdoored for over a year. With the web and email servers being on the same network, it was a matter of time before hackers got to the emails once they had access.

While Mossack Fonseca has put up a firewall in the last month and have updated the WordPress core, it would still be possible to exploit the site if they were running the outdated plugin, notes Wordfence.

In conclusion, we’d like to stress the importance of basic security principles. Just update. If you are using a site that powered by the WordPress CMS, it’s essential that you upgrade your plugins, themes and WP itself as soon as a newer version is available. While your data may not force leaders of countries and MNCs to resign, it’s still valuable.

Image source: Wired

Talal is the Editor in Chief at ProPakistani.


  • Muhammad Shahzaib Anwar

    whatever the reason it was but there won’t be anything good going to be happen at least in Pakistan.
    whatever you leaks it doesn’t matter here even its truth.

  • mossawir ahmed

    ok.. now that’s a big issue. mostly developer like me use plugin like royal and revolutions slider to save time and now this happened. now it time to do complete custom code my projects and update plugin on rest of them. that’s a real pain :S

    • How odd. You think it’s a “real pain” to actually do the work of a software developer? What have you been calling your profession all this time?

      • mossawir ahmed

        been a developer its not hard to code a custom slider or custom code. brother the thing is client requirement in short deadline. is ko yo kr de or is ko yoo krdo and that takes lots of time. plugins save you lots of time. Development time.

    • KMQ

      Aare mossawir bhai, custom code main ziyada aman hai seriously. Ek dafah try karo, apna koi slider banao HTML/JS main and then give flexibility to clients to edit them though ACF. Client ko bhi aasan lage ga to edit aur apke liye bhi flexible hoga to edit and customize.

      • mossawir ahmed

        je je i know brother. kuch clients aisai hai jin cheye he royal slider. wo khud khareed kr daitai hai .. and me. i would never use slider personal plugin. rather customize Cycle 2 :D.

      • mossawir ahmed

        je je i know brother. kuch clients aisai hai jin cheye he royal slider. wo khud khareed kr daitai hai .. and me. i would never use slider plugin. rather customize Cycle 2 :D.

  • Muhammad Zaman

    Blessing for Pakistan