The large number of commercial plugins for WordPress creates a new attack surface in the WordPress site landscape. In a commercial WordPress plugin, hackers use an old vulnerability to break into websites and plant backdoors.
At the end of last month, ongoing attacks were first detected by incident respondents from Defiant, the company behind the WordPress WordFence firewall plugin. The vulnerability exploited in the attacks affects “WP Cost Estimation & Payment Forms Builder,” a commercial WordPress plugin that has been sold on the CodeCanyon market for the last five years to build e-commerce-centered forms.
Defiant Threat Analyst Mikey Veenstra said that hackers used the hacked site they investigated to hijack incoming traffic and redirect it to other websites.
He did not rule out attackers who later abused the backdoor for other harmful activities. In a report published on Wordfence’s official blog, Venstra and his colleagues broke down the technical details of the exploited vulnerability.
He said hackers used an AJAX-related flaw in the upload functionality of the plugin to save files on targeted sites with absurd extensions (such as ngfndfgsdcas.tss). The attackers would then upload a.htaccess file associating the non-standard file extension with the site’s PHP interpreter in a second step of the operating routine, ensuring that the PHP code contained in the file would run and activate the backdoor when they later accessed the file.
In other cases investigated by Veenstra and his colleagues, attackers used another AJAX plugin-related function to delete the site configuration and reconfigure it to use its malicious database. According to Wordfence, all versions of WP Cost Estimate before v9.644 are vulnerable to such attacks.
The good news is that the developer fixed the bug in October 2018 with the release of v9.644, after a user complained that their website had been hacked. The bad news is that the developer did not publicly reveal this security problem except for a brief comment in the now buried CodeCanyon, leaving most of his users unaware of the danger they might be in.
According to CodeCanyon, more than 11,000 users purchased the plugin. However, CodeCanyon scripts and plugins are often pirated and made available for free on hundreds of other online sites, and the number of real-world installations is much higher.
Veenstra and the Wordfence team are still looking at the size and scope of these attacks. Backdoors that perform hidden redirects are usually part of the arsenal of cyber-criminal gangs that operate malicious botnets, so hacks that abuse this plugin fault could have been going on for a while.
Commercial plugins and WordPress themes are notorious bad apples. Web security experts often recommend buying and using one, because they are often abandoned after a few months or years.
The developer teams behind commercial plugins and themes also have no means or interest in shipping updates, as they are usually more focused on making one-time sales and then moving to another new plugin or theme from which they can make new money, rather than spending their time in unproductive ways such as patching bugs.
In this case, the WP Cost Estimate developer seemed to be much more reliable than the one behind the abandoned Total Donations plugin. The Wordfence team also identified a second vulnerability in WP Cost Estimation, which was revealed privately to the plugin author and immediately fixed. “Commercial plugins can connect to the WordPress plugin update feature, but they must provide their own repository to distribute the updates”.
“Many don’t go this way.” “In this case, the plugin [WP Cost Estimation] correctly displays an update in the dash, and the developer said he could push an automatic update.”
“If you see a developer responding constructively to questions and problems in reviews and comments, especially on CodeCanyon, it is a good sign that they are likely to be revealed by vulnerability and the following patch process.”