News Courtesy of ZDNet.com:
The vulnerability exploited in the attacks affects “WP Cost Estimation & Payment Forms Builder,” a commercial WordPress plugin for building e-commerce-centric forms that has been on sale on the CodeCanyon marketplace for the last five years.
In an interview with ZDNet, Defiant Threat Analyst Mikey Veenstra said hackers were using the hacked site they investigated to hijack incoming traffic and redirect it to other websites. He didn’t exclude the attackers abusing the backdoor for other nefarious activities later down the line.
All WP Cost Estimation versions before v9.644 are vulnerable to these attacks, according to Wordfence. The good news is that the developer fixed the bug with the release of v9.644 in October 2018, after one user complained about having their site hacked.
This particular exploit really hits close to home. WP Cost Estimation & Payment Forms Builder is a premium plugin that I’ve been using on this site for over a year. It’s a fantastic plugin that has allowed me to customize packages for web design and SEO clients. Before you check, yes, I’m already updated to a secure version.
I’m usually pretty good at staying on top of theme and plugin updates. Since I bought it from CodeCanyon, I have a license that allows for easy updating. Unfortunately for people who bought the plugin on 3rd party websites or downloaded it illegally, you might be in for a rude awakening.
It’s hard to feel bad for these people. That’s the risk you run when not purchasing (or pirating) through the official developer. You also won’t get support from the developer either. So if you run into a problem, you’re on your own!
In this case, the developer has been very responsive to the few issues I’ve had and provided me with solutions to fix them. However, in my opinion, he should have made users aware of this major flaw through email. Instead, it looks like it is only casually mentioned in the changelog (and perhaps in CodeCanyon comments).
It sucks for the guy who had his website hacked which initially alerted the developer. That could’ve easily been this website. It’s hard to say whether my server’s anti-malware plugin would’ve caught it. However, since it relies on files being uploaded (which I do not ask for in this plugin’s settings), I suppose I would’ve been safe.