Hackers Exploit Commercial WordPress Plugin Using AJAX-Related Flaw
- The WP Cost Estimation & Payments Forms Builder plugin has been exploited by hackers using an AJAX-related flaw.
- The flaw affects versions v9.644, and earlier and more recent versions are not affected.
- The exploit was discovered by Mikey Venstra and his team at Wordfence.
According to a recent report on Wordfence, the WP Cost Estimation & Payments Forms Builder plugin has been exploited by hackers. The plugin helps users create forms for e-commerce businesses and has been around for five years. The developers have already addressed the issue as part of a recent update, but users who are running older versions of the WordPress plugin may still be affected.
According to threat analyst Mikey Venstra, the hackers were breaking into websites using the plugin to hijack incoming traffic. Venstra detailed the technicalities of the bug and said the hackers were taking advantage of an AJAX-related flaw found in the WordPress plugin’s upload feature.
According to Venstra "Commercial plugins have the ability to hook into WordPress's plugin update feature, but they need to provide their own repository to distribute the updates. Many don't go this route. In this case, the [WP Cost Estimation] plugin properly displays update in the dash, and the developer mentioned being able to push an automatic update."
The WordPress cost estimation app is exploitable only on versions v9.644 and earlier. The version was released in October 2018, and the total number of users who download the plugin exceeds 11,000 on CodeCanyon. However, premium plugins are also pirated from CodeCanyon and distributed for free on third-party websites which could mean the plugin’s user base is much larger than what the official figures suggest.
Security researchers at Wordfence are currently trying to identify the scale of the recent attacks. WordPress plugins are major targets for attackers due to the popularity of the platform. Most of the issues arise from users not keeping their plugins updated or using pirate plugins. In some cases, the developers do not update plugins to account for newly discovered security flaws. However, that is not the case with the cost estimation plugin as the developers have been consistent with updates.
What do you think about the WP Cost Estimation & Payments Forms Builder plugin being exploited by hackers? Feel free to share your thoughts with our online community on Facebook and Twitter.