Hackers Exploit Commercial WordPress Plugin Using Ajax-Related Flaw ByNitish Singh-February 14, 2019.227 Figure 1 WordPress Photo Courtesy The Wp Cost Estimation Payments Forms Builder plugin has been exploited by hackers using an Ajax-related flaw. The bug affects versions v9.644 and has no effect on earlier and newer versions. Mikey Venstra and his colleagues had found the hack at Wordfence. The hackers had been breaking into websites using the plugin to hijackincoming traffic, according to threat analyst Mikey Venstra. Venstra detailed the bug’s technicalities and said the hackers were leveraging an Ajax-related vulnerability found in the upload feature of the WordPress plugin. Business plugins have the potential to tap into the plugin update feature of WordPress, but they need to provide their own repository to distribute the updates, according to Venstra. Many aren’t going that path. In this case, the [ Wp Cost Estimation ] plugin shows changes correctly in the dash and the specified developer can submit an automatic update. “The cost estimation software for WordPress can only be used in versions v9.644 and earlier. The version was released in October 2018, and the cumulative number of users installing the plugin on CodeCanyon exceeds 11000. Nevertheless, premium plugins are also pirated from CodeCanyon and distributed on third-party websites free of charge, which could mean the user base of the plugin is much greater than indicated by official figures. Now, Wordfence security researchers are trying to identify the severity of recent attacks. Because of the platform’s success WordPress plugins are major targets for attackers. Most of the problems arise when users don’t keep their software installed or use pirate plugins. The developers in some cases do not upgrade plugins to compensate for newly discovered security flaws. This is not the case with the cost estimation feature, however, since the developers were consistent with the changes.