Hackers are exploiting an old vulnerability in a commercial WordPress plugin to break into websites and plant backdoors.
Ongoing attacks have been first spotted at the end of last month by incident responders from Defiant, the company behind the Wordfence WordPress firewall plugin.
The vulnerability exploited in the attacks affects "WP Cost Estimation & Payment Forms Builder," a commercial WordPress plugin for building e-commerce-centric forms that has been on sale on the CodeCanyon marketplace for the last five years.
In an interview with ZDNet, Defiant Threat Analyst Mikey Veenstra said hackers were using the hacked site they investigated to hijack incoming traffic and redirect it to other websites. He didn't exclude the attackers abusing the backdoor for other nefarious activities later down the line.
In a report published on the Wordfence official blog, Veenstra and his colleagues broke down the technical details of the exploited vulnerability.
He said hackers were abusing an AJAX-related flaw in the plugin's upload functionality to save files with nonsensical extensions (such as ngfndfgsdcas.tss) on targeted sites.
In a second step of the exploitation routine, the attackers would then upload a .htaccess file that associated the non-standard file extension with the site's PHP interpreter, ensuring that when they'd later access the file, the PHP code contained within would execute and activate the backdoor.
In other cases Veenstra and his colleagues investigated, the attackers exploited another of the plugin's AJAX-related functions to delete a site's config and re-configure it to use their malicious database.
All WP Cost Estimation versions before v9.644 are vulnerable to these attacks, according to Wordfence. The good news is that the developer fixed the bug with the release of v9.644 in October 2018, after one user complained about having their site hacked.
The bad news is that the developer didn't publicly disclose this security issue outside of a short mention in a now-buried CodeCanyon comment, leaving most of his users unaware of the danger they might be in.
According to CodeCanyon, the plugin has been purchased by more than 11,000 users. However, CodeCanyon scripts and plugins are often pirated and made available for free on hundreds of other sites online, and the number of real-world installations is much higher.
Veenstra and the Wordfence team are still looking into the size and reach of these attacks. Backdoors that perform hidden redirects are usually part of the arsenal of cyber-criminal gangs operating malicious botnets, so hacks abusing this plugin flaw might have been going on for a while, and at scale.
Commercial WordPress plugins and themes are notorious bad apples. Web security experts often recommend against buying and using one because they're often abandoned after a few months or years (see story on the now-abandoned Total Donations plugin).
The developer teams behind commercial plugins and themes also don't have the means or the interest in shipping updates, as they're usually more focused in making a one-time sale and then moving to another new plugin or theme from where they can make new money, rather than spend their time in unproductive ways such as patching bugs.
In this case, the developer of the WP Cost Estimation appeared to be a lot more reliable than the one behind the abandoned Total Donations plugin.
The Wordfence team said they also identified a second vulnerability in WP Cost Estimation, which they privately disclosed to the plugin author and he had it fixed right away.
"Commercial plugins have the ability to hook into WordPress's plugin update feature, but they need to provide their own repository to distribute the updates," Veenstra told ZDNet yesterday. "Many don't go this route."
"In this case, the [WP Cost Estimation] plugin properly displays an update in the dash, and the developer mentioned being able to push an automatic update."
ZDNet also asked Veenstra about a piece of advice for WordPress site owners when thinking about buying commercial plugins or themes.
"As far as generic advice goes, I think the biggest litmus test is developer responsiveness," Veenstra told us. "On CodeCanyon especially, if you see a developer responding constructively to questions and issues in reviews and comments, it's a good sign that they'll be amenable to a vulnerability disclosure and the patch process that follows."
WordPress 5.0 is out. Here's a tour of the new features!
Related security coverage: