WordPress Commercial Plugin Found To Have Vulnerability That Redirects Traffic

WordPress may be the most popular CMS that powers the web. But with the many developers in the community trying to perfect the software, flaws can still be present.

One of which, is an old vulnerability in a commercial WordPress plugin, allowing hackers to break into websites and plant backdoors for remote access.

The attacks were first spotted in the end of January by people from Defiant, the company behind the Wordfence WordPress firewall plugin.

It was found that hackers exploit vulnerabilities affecting the 'WP Cost Estimation & Payment Forms Builder,' a commercial WordPress plugin which allows WordPress webmasters to create cost calculators and payment forms. The plugin has been on sale on CodeCanyon's marketplace since 2014.

Defiant Threat Analyst Mikey Veenstra said that hackers were using that the hacked website they investigated were made to hijack incoming traffic to then redirect them to other websites.

Hackers that are able to infiltrate, can also abuse the system for other nefarious activities if they wanted to.

In a report published on the Wordfence official blog, Veenstra and his colleagues detailed the technical aspects of the vulnerability:

POST /wp-admin/admin-ajax.php?action=lfb_upload_form
POST /wp-admin/admin-ajax.php?action=lfb_upload_form
POST /wp-content/uploads/CostEstimationPayment/_/ngfndfgsdcas.tss

Here, the hackers can abuse an AJAX-related flaw in the plugin's upload functionality in order to save files with nonsense 'harmless' extensions (such as ngfndfgsdcas.tss) on targeted sites.

After that, the attackers can upload a customized htaccess file to associate the non-standard file extension with the site's PHP interpreter. This is to ensure that the attackers can later access the file.

The PHP code contained within, would enable the attackers to execute commands and activate the backdoor.

In other cases, Veenstra and his colleagues found that attackers can also exploit another of the plugin's AJAX-related functions to delete a site's wp-config.php configuration file.

This makes the WordPress site believe that a fresh install is taking place - since no database configuration is present - allowing the attackers to connect the site to their own database and log in as administrator.


According to the report by Wordfence, all WP Cost Estimation versions prior to v9.644 are vulnerable to these attacks.

The good news is that the developer fixed the bug in the release of v9.644 in October 2018, after one user complained about having their site hacked.

But there is also the bad news, since the developer of the plugin didn't publicly disclose this security issue besides a short mention in a long-buried CodeCanyon comment, leaving most of its users unaware of the flaw and danger.

According to CodeCanyon, the WP Cost Estimation plugin has been purchased by more than 11,000 users. But since premium plugins are often pirated from CodeCanyon and distributed for free on third-party websites, the real number of installation can be much higher.

Commercial WordPress plugins and themes are usually plagued with vulnerabilities.

For some reasons, the developers behind commercial plugins and themes also don't have interest in launching updates, as they're usually more focused in making a one-time sale and then move to another new plugin or theme to make more money.

"Commercial plugins have the ability to hook into WordPress's plugin update feature, but they need to provide their own repository to distribute the updates," said Veenstra. "Many don't go this route."

This is why many of those paid projects are abandoned after a few months or years after being launched.

But with WP Cost Estimation plugin, Loopus the developer appeared to be more reliable. According to Wordfence, the team had identified another vulnerability, which was disclosed in private to the developer, and the developer responded quickly by launching a patch.