An unpatched directory traversal vulnerability found in WP Cost Estimation plug-in receives a security update

• The flaw exists in all the WP Cost Estimation versions before 9.660.
• Successful exploitation of the flaw could allow attackers to send a specially crafted HTTP request, upload arbitrary files to the system and overwrite files present on the server.

A directory traversal vulnerability in a commercial WordPress plug-in called WP Cost Estimation & Payment Forms Builder has received a security patch recently. The flaw existed in all the WP Cost Estimation versions before 9.660.

How does it work?

Security researchers from security firm Wordfence came across this new flaw while analyzing additional flaws in the plug-in. They found that hackers have been exploiting the vulnerability in the plug-in to launch attacks in the past months.

In a report published by security firm Wordfence, the researchers explored that hackers were abusing an AJAX-related flaw in the plugin’s upload functionality to save files with absurd extensions such as ‘ngfndfgsdcas.tss’ on targeted sites.

“The action lfb_upload_form was traced to the installed WP Cost Estimation plugin, which allowed us to piece together what had taken place. The installed version of the plugin was outdated, and the AJAX action allowing file uploads through form submissions was exploitable,” said the Wordfence researchers in a blog post.

In the second step of the exploitation process, the attackers would then add a ‘.htaccess file’ in the site’s PHP interpreter. This would enable them to access the file and activate the backdoors by executing the malicious PHP code.

Impact

The vulnerability exists due to input validation error when processing directory traversal sequences. Successful exploitation of the flaw could allow attackers to send a specially crafted HTTP request, upload arbitrary files to the system and overwrite files present on the server. This can even lead to the compromise of systems.

Upon further investigation, researchers also noted that the attackers exploited another AJAX-related functionality in the plug-in to delete configurations of a site and re-configured it to use their malicious database.

CodeCanyon, the platform which sells WP Cost Estimation & Payment Forms Builder, has reported that the vulnerable plugin has been purchased by more than 11,000 users.

While the Wordfence team is still looking into the size and reach of the attacks that can be carried out by exploiting the flaw, a security patch to fix the flaw has been released by the developer of the plug-in, Loopus Plugins.