Hackers Target WordPress Sites via WP Cost Estimation Plugin

Malicious actors have been hacking WordPress websites by exploiting vulnerabilities in a fairly popular plugin called WP Cost Estimation & Payment Forms Builder.

Developed by Loopus, the plugin allows WordPress website administrators to create cost calculators and payment forms. The tool is offered on CodeCanyon for $28 and it has been purchased from this marketplace nearly 12,000 times.

Defiant, the developer of the Wordfence security plugin for WordPress websites, reported on Wednesday that it has been seeing attacks exploiting vulnerabilities in WP Cost Estimation & Payment Forms Builder to plant backdoors on websites.

The targeted flaws were patched by the developer months ago, but since no security warning was issued many users have not installed the updates and left their websites vulnerable to attacks.

According to Wordfence researchers, malicious actors have been exploiting two vulnerabilities related to uploading and deleting files.

WP Cost Estimation normally prevents users from uploading dangerous file types to the server, but a flaw in the plugin allowed them to upload malicious PHP files with an apparently harmless extension.

The second flaw allows attackers to delete arbitrary files. In the attacks spotted by Wordfence, they deleted the wp-config.php file, which makes WordPress believe that a fresh install is taking place – since no database configuration is present – enabling the hacker to connect the site to their own database and log in as administrator.

While both vulnerabilities should allow hackers to achieve the same goal, both security holes have been exploited in attacks aimed at the same site, which has led experts to believe that the file upload exploit did not produce the expected result.

Discussions on CodeCanyon reveal that several users reported that their sites had been hacked through this plugin. Some of the messages exchanged between the developer and users of WP Cost Estimation roughly 4 months ago suggest that the flaws may have had a zero-day status at some point – malicious actors exploited the weaknesses before the developer learned of their existence.

While investigating the efficiency of the patches released for these vulnerabilities, Wordfence researchers discovered another potentially serious flaw – an upload directory traversal issue that can be exploited to overwrite any file with a whitelisted type.

“Even with a whitelist only allowing images and archives to be uploaded, an attacker could cause serious trouble with an exploit. Any image on a site could be overwritten, allowing defacement campaigns to replace them en masse. If any backups are kept in an accessible location in a zip archive, an attacker could replace this backup with their own poisoned version, containing new users in the database or backdoors buried elsewhere in the file structure. When the backup is restored (perhaps following a mysterious case of overwritten images), these backdoors would be deployed,” the researchers explained.

Wordfence researchers reported this flaw to Loopus on January 26 and a patch was released a few days later.

It’s not uncommon for malicious actors to exploit recently patched or zero-day flaws affecting plugins to target WordPress websites. Recently disclosed attacks involved the AMP for WP, WordPress GDPR Compliance, and Total Donations plugins.

Related: WordPress Patches Privilege Escalation Vulnerabilities

Related: Former Employee Hacks Popular WordPress Plugin’s Website

Related: WordPress to Warn on Outdated PHP Versions