Another Commercial WordPress Plugin Gets Exploited

  • 279
  •  
  •  
  • 1
  •  
  •  
  •  
    280
    Shares

In the past few months, commercial WordPress plugin WP Cost Estimation has been under attack from hackers. These hackers are exploiting old vulnerabilities in these plugins to break into websites and plant backdoors. These ongoing attacks were first spotted by Defiant, who is behind the Wordfence firewall plugin.

Plugin Affected

The latest exploit affects WP Cost Estimation & Payment Forms Builder. It is a commercial plugin for WordPress that helps to build e-commerce-centric forms. The plugin has been on sale on the CodeCanyon marketplace for the past five years.

In an interview with ZDNet, Threat Analyst Mikey Veenstra from Defiant said the hackers were using the site to hijack incoming traffic and direct it to other websites.

In a report on the Wordfence official blog, Veenstra and the team at Defiant explained the details of the exploit.

Details of the Exploit

They said that hackers were abusing an AJAX-related flaw in the plugin’s upload functionality. This allowed them to save files with nonsensical extensions on targeted sites.

The next step was for them to upload a .htaccess file associated the non-standard file extension with the sites PHP interpreter. It ensured that when they later accessed it, the PHP code would execute and activate the backdoor.

Vulnerable Versions

All versions of the WP Cost Estimation plugin before v9.644 are vulnerable to these attacks according to Wordfence. The good news is that the developer fixed the bug with the new version v9.644 in October 2018 after someone complained that their site had been hacked.

However, the developer didn’t publically disclose this security problem apart from a small CodeCanyon comment. This meant many users were unaware of the danger their sites were in.

Commercial plugins are often seen as a bad idea by security experts who advise against buying them as they are often abandoned after a few months or years. This leaves users with a plugin that isn’t regularly patched for new security issues down the line.

 

The following two tabs change content below.
Avatar

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]
Avatar

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Do NOT follow this link or you will be banned from the site!