In the past few months, commercial WordPress plugin WP Cost Estimation has been under attack from hackers. These hackers are exploiting old vulnerabilities in these plugins to break into websites and plant backdoors. These ongoing attacks were first spotted by Defiant, who is behind the Wordfence firewall plugin.
The latest exploit affects WP Cost Estimation & Payment Forms Builder. It is a commercial plugin for WordPress that helps to build e-commerce-centric forms. The plugin has been on sale on the CodeCanyon marketplace for the past five years.
In an interview with ZDNet, Threat Analyst Mikey Veenstra from Defiant said the hackers were using the site to hijack incoming traffic and direct it to other websites.
In a report on the Wordfence official blog, Veenstra and the team at Defiant explained the details of the exploit.
Details of the Exploit
They said that hackers were abusing an AJAX-related flaw in the plugin’s upload functionality. This allowed them to save files with nonsensical extensions on targeted sites.
The next step was for them to upload a .htaccess file associated the non-standard file extension with the sites PHP interpreter. It ensured that when they later accessed it, the PHP code would execute and activate the backdoor.
All versions of the WP Cost Estimation plugin before v9.644 are vulnerable to these attacks according to Wordfence. The good news is that the developer fixed the bug with the new version v9.644 in October 2018 after someone complained that their site had been hacked.
However, the developer didn’t publically disclose this security problem apart from a small CodeCanyon comment. This meant many users were unaware of the danger their sites were in.
Commercial plugins are often seen as a bad idea by security experts who advise against buying them as they are often abandoned after a few months or years. This leaves users with a plugin that isn’t regularly patched for new security issues down the line.