Security Experts:

Connect with us

Hi, what are you looking for?



Hackers Target WordPress Sites via WP Cost Estimation Plugin

Malicious actors have been hacking WordPress websites by exploiting vulnerabilities in a fairly popular plugin called WP Cost Estimation & Payment Forms Builder.

Malicious actors have been hacking WordPress websites by exploiting vulnerabilities in a fairly popular plugin called WP Cost Estimation & Payment Forms Builder.

Developed by Loopus, the plugin allows WordPress website administrators to create cost calculators and payment forms. The tool is offered on CodeCanyon for $28 and it has been purchased from this marketplace nearly 12,000 times.

Defiant, the developer of the Wordfence security plugin for WordPress websites, reported on Wednesday that it has been seeing attacks exploiting vulnerabilities in WP Cost Estimation & Payment Forms Builder to plant backdoors on websites.

The targeted flaws were patched by the developer months ago, but since no security warning was issued many users have not installed the updates and left their websites vulnerable to attacks.

According to Wordfence researchers, malicious actors have been exploiting two vulnerabilities related to uploading and deleting files.

WP Cost Estimation normally prevents users from uploading dangerous file types to the server, but a flaw in the plugin allowed them to upload malicious PHP files with an apparently harmless extension.

The second flaw allows attackers to delete arbitrary files. In the attacks spotted by Wordfence, they deleted the wp-config.php file, which makes WordPress believe that a fresh install is taking place – since no database configuration is present – enabling the hacker to connect the site to their own database and log in as administrator.

While both vulnerabilities should allow hackers to achieve the same goal, both security holes have been exploited in attacks aimed at the same site, which has led experts to believe that the file upload exploit did not produce the expected result.

Discussions on CodeCanyon reveal that several users reported that their sites had been hacked through this plugin. Some of the messages exchanged between the developer and users of WP Cost Estimation roughly 4 months ago suggest that the flaws may have had a zero-day status at some point – malicious actors exploited the weaknesses before the developer learned of their existence.

While investigating the efficiency of the patches released for these vulnerabilities, Wordfence researchers discovered another potentially serious flaw – an upload directory traversal issue that can be exploited to overwrite any file with a whitelisted type.

“Even with a whitelist only allowing images and archives to be uploaded, an attacker could cause serious trouble with an exploit. Any image on a site could be overwritten, allowing defacement campaigns to replace them en masse. If any backups are kept in an accessible location in a zip archive, an attacker could replace this backup with their own poisoned version, containing new users in the database or backdoors buried elsewhere in the file structure. When the backup is restored (perhaps following a mysterious case of overwritten images), these backdoors would be deployed,” the researchers explained.

Wordfence researchers reported this flaw to Loopus on January 26 and a patch was released a few days later.

It’s not uncommon for malicious actors to exploit recently patched or zero-day flaws affecting plugins to target WordPress websites. Recently disclosed attacks involved the AMP for WP, WordPress GDPR Compliance, and Total Donations plugins.

Related: WordPress Patches Privilege Escalation Vulnerabilities

Related: Former Employee Hacks Popular WordPress Plugin’s Website

Related: WordPress to Warn on Outdated PHP Versions

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.