Update now before payments app costs more than you bargained for

Attackers are targeting WordPress sites through an unpatched vulnerability found in a popular commercial plugin, researchers have discovered.

The flaw affects those using an outdated version of the WordPress Cost Estimation & Payment Forms Builder – an application downloaded nearly 12,000 times.

Sites running the plugin should “make it a priority” to update to the latest version to protect against a directory traversal attack, which allows an attacker to gain access to site files and even write their own commands on the compromised system.

This is only one of two flaws that researchers at Wordfence, a WordPress-focused security company, recently identified.

A separate bug was found a few months ago that made it possible for an attacker to upload and delete files on a WordPress site that featured the plugin.

But the developers had failed to disclose the flaw and its subsequent patch, leaving attackers free to continue exploiting the problem.

“Following this discovery, our threat intelligence team reviewed updated versions of the plugin for additional security issues,” Wordfence said in a blog post.

“We reported an unpatched directory traversal vulnerability to the developer, Loopus Plugins, who has since released an update addressing the issue.”

Plugin versions before 9.660 are said to be affected by the newly-found vulnerability, which lets an attacker bypass a website’s whitelist and overwrite files.

“Even with a whitelist only allowing images and archives to be uploaded, an attacker could cause serious trouble with an exploit,” Wordfence said.

“Any image on a site could be overwritten, allowing defacement campaigns to replace them en masse. If any backups are kept in an accessible location in a zip archive, an attacker could replace this backup with their own poisoned version, containing new users in the database or backdoors buried elsewhere in the file structure.”

“When the backup is restored (perhaps following a mysterious case of overwritten images), these backdoors would be deployed.”

The Daily Swig has reached out to Loopus Plugins for comment.