And yet another WordPress commercial plugin gets exploited in the wild, as Wordfence security analysts identified attackers exploiting vulnerabilities in outdated versions of a commercial WordPress plugin since the end of january.
In this case the fairly popular WP Cost Estimation & Payment Forms Builder plugin developed by Loopus was a target for malicious actors, who have been exploiting two flaws related to AJAX functionality that allows for the uploading and deletion of files.
The WP Cost Estimation & Payment Forms Builder plugin allows WordPress website administrators to create cost calculators and payment forms. The tool is offered on CodeCanyon for $28 and it has been purchased from their marketplace over 11,000 times. It has been on sale on the CodeCanyon marketplace for the last five years.
The first flaw allows hackers to upload malicious PHP files with an apparently harmless or made-up file extension via an AJAX related flaw. WP Cost Estimation normally prevents users from uploading dangerous file types to the server. In a second step, the attackers would then upload a
.htaccess file that associates the non-standard file extension with the site’s PHP interpreter, ensuring that when they’d later access the file, the PHP code contained within would execute and activate the backdoor.
The second flaw allows attackers to delete arbitrary files via another AJAX related flaw. In the attacks spotted by Wordfence, hackers deleted the
wp-config.php file, which makes WordPress believe that a fresh install is taking place – since no database configuration is present – enabling the hacker to connect the site to their own database and log in as administrator.
Ongoing attacks have been first spotted at the end of last month by incident responders from Defiant, the company behind the Wordfence WordPress firewall plugin.
Third potential flaw
A third, potentially serious flaw was discovered by the Wordfence researcher while investigating the efficiency of the patches released for these vulnerabilities. This third vulnerability is an upload directory traversal issue that can be exploited to overwrite any file with a whitelisted type, was reported and subsequently patched a few days later by the developer.
All WP Cost Estimation versions before v9.644 are vulnerable to these attacks, according to Wordfence. The good news is that the developer fixed the bug quickly with the release of v9.644 in October 2018, after only one user complained about having their site hacked.
The problem lies with the fact that the developer did not publicly disclose this security issue outside of a short mention in a now-buried CodeCanyon comment. This means that most users are unaware of the danger they might be in.
Meanwhile another plugin, MapSVG Lite version 3.2.3 contains a Cross Site Request Forgery (CSRF) vulnerability in REST endpoint
This attack appears to be exploitable, however the victim must be logged in to WordPress as an admin, and click a link. This vulnerability appears to have been fixed in version 3.3.0 and later.