News Courtesy of ZDNet.com:

This particular exploit really hits close to home. WP Cost Estimation & Payment Forms Builder is a premium plugin that I’ve been using on this site for over a year. It’s a fantastic plugin that has allowed me to customize packages for web design and SEO clients. Before you check, yes, I’m already updated to a secure version.

I’m usually pretty good at staying on top of theme and plugin updates. Since I bought it from CodeCanyon, I have a license that allows for easy updating. Unfortunately for people who bought the plugin on 3rd party websites or downloaded it illegally, you might be in for a rude awakening.

It’s hard to feel bad for these people. That’s the risk you run when not purchasing (or pirating) through the official developer. You also won’t get support from the developer either. So if you run into a problem, you’re on your own!

In this case, the developer has been very responsive to the few issues I’ve had and provided me with solutions to fix them. However, in my opinion, he should have made users aware of this major flaw through email. Instead, it looks like it is only casually mentioned in the changelog (and perhaps in CodeCanyon comments).

It sucks for the guy who had his website hacked which initially alerted the developer. That could’ve easily been this website. It’s hard to say whether my server’s anti-malware plugin would’ve caught it. However, since it relies on files being uploaded (which I do not ask for in this plugin’s settings), I suppose I would’ve been safe.