Connect with us

Hi, what are you looking for?



Hackers Target WordPress Sites via WP Cost Estimation Plugin

Malicious actors have been hacking WordPress websites by exploiting vulnerabilities in a fairly popular plugin called WP Cost Estimation & Payment Forms Builder.

Malicious actors have been hacking WordPress websites by exploiting vulnerabilities in a fairly popular plugin called WP Cost Estimation & Payment Forms Builder.

Developed by Loopus, the plugin allows WordPress website administrators to create cost calculators and payment forms. The tool is offered on CodeCanyon for $28 and it has been purchased from this marketplace nearly 12,000 times.

Defiant, the developer of the Wordfence security plugin for WordPress websites, reported on Wednesday that it has been seeing attacks exploiting vulnerabilities in WP Cost Estimation & Payment Forms Builder to plant backdoors on websites.

The targeted flaws were patched by the developer months ago, but since no security warning was issued many users have not installed the updates and left their websites vulnerable to attacks.

According to Wordfence researchers, malicious actors have been exploiting two vulnerabilities related to uploading and deleting files.

WP Cost Estimation normally prevents users from uploading dangerous file types to the server, but a flaw in the plugin allowed them to upload malicious PHP files with an apparently harmless extension.

The second flaw allows attackers to delete arbitrary files. In the attacks spotted by Wordfence, they deleted the wp-config.php file, which makes WordPress believe that a fresh install is taking place – since no database configuration is present – enabling the hacker to connect the site to their own database and log in as administrator.

Advertisement. Scroll to continue reading.

While both vulnerabilities should allow hackers to achieve the same goal, both security holes have been exploited in attacks aimed at the same site, which has led experts to believe that the file upload exploit did not produce the expected result.

Discussions on CodeCanyon reveal that several users reported that their sites had been hacked through this plugin. Some of the messages exchanged between the developer and users of WP Cost Estimation roughly 4 months ago suggest that the flaws may have had a zero-day status at some point – malicious actors exploited the weaknesses before the developer learned of their existence.

While investigating the efficiency of the patches released for these vulnerabilities, Wordfence researchers discovered another potentially serious flaw – an upload directory traversal issue that can be exploited to overwrite any file with a whitelisted type.

“Even with a whitelist only allowing images and archives to be uploaded, an attacker could cause serious trouble with an exploit. Any image on a site could be overwritten, allowing defacement campaigns to replace them en masse. If any backups are kept in an accessible location in a zip archive, an attacker could replace this backup with their own poisoned version, containing new users in the database or backdoors buried elsewhere in the file structure. When the backup is restored (perhaps following a mysterious case of overwritten images), these backdoors would be deployed,” the researchers explained.

Wordfence researchers reported this flaw to Loopus on January 26 and a patch was released a few days later.

It’s not uncommon for malicious actors to exploit recently patched or zero-day flaws affecting plugins to target WordPress websites. Recently disclosed attacks involved the AMP for WP, WordPress GDPR Compliance, and Total Donations plugins.

Related: WordPress Patches Privilege Escalation Vulnerabilities

Related: Former Employee Hacks Popular WordPress Plugin’s Website

Related: WordPress to Warn on Outdated PHP Versions

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.