A critical vulnerability exists in the WP Cost Estimation & Payment Forms Builder plugin for WordPress, identified as CVE-2019-25296. This flaw allows any unauthenticated attacker on the internet to upload malicious files, leading to a complete server compromise, and delete critical system files, potentially causing a total loss of the website. Due to the ease of exploitation and severe impact, this vulnerability represents an immediate and significant threat to any organization using an affected version of the plugin.

The plugin contains an unauthenticated arbitrary file upload and deletion vulnerability. The issue stems from a lack of proper file type validation within two AJAX functions: lfb_upload_form and lfb_removeFile. An unauthenticated attacker can craft a malicious request to the lfb_upload_form action to upload any type of file, such as a PHP web shell, to the server. Successful exploitation of the upload vulnerability allows the attacker to achieve remote code execution (RCE), granting them full control over the website and underlying server. Furthermore, the attacker can leverage the lfb_removeFile action to delete arbitrary files on the server, including the critical wp-config.php file, which could lead to a denial of service or allow the attacker to reconfigure the site to point to a database under their control.

This vulnerability is rated as critical with a CVSS score of 9.8, reflecting the highest possible level of risk. A successful exploit could lead to a complete compromise of the web server's confidentiality, integrity, and availability. Potential consequences include theft of sensitive data (customer information, payment details, intellectual property), website defacement, service disruption, and the use of the compromised server for further malicious activities like hosting malware or launching attacks against other systems. The ability to delete core configuration files could result in extended downtime and significant recovery costs, leading to severe reputational damage and financial loss.

Immediate Action: Immediately update the WP Cost Estimation & Payment Forms Builder plugin to the latest available version, which contains a patch for this vulnerability. After patching, it is crucial to review server logs for any signs of exploitation that may have occurred while the vulnerable version was active.

Proactive Monitoring:

• Monitor web server and WAF logs for POST requests to /wp-admin/admin-ajax.php containing action=lfb_upload_form or action=lfb_removeFile from untrusted IP addresses.
• Implement File Integrity Monitoring (FIM) to detect unauthorized file uploads in web-accessible directories (e.g., /wp-content/uploads/) or modifications/deletions of core WordPress files like wp-config.php.
• Scan for unexpected files with extensions such as .php, .phtml, or .php5 in directories where they should not exist.

Compensating Controls:

• If immediate patching is not feasible, disable the WP Cost Estimation & Payment Forms Builder plugin until it can be safely updated.
• Deploy a Web Application Firewall (WAF) with rules specifically designed to block malicious requests targeting the vulnerable AJAX actions.
• Enforce strict file permissions on the web server to prevent the web process from writing files to non-essential directories or deleting critical configuration files.

Public Exploit Available: true

Given the critical severity (CVSS 9.8), the unauthenticated attack vector, and the availability of public exploits, this vulnerability poses an extreme risk. We strongly recommend that organizations immediately identify all instances of the WP Cost Estimation & Payment Forms Builder plugin and update them to a patched version without delay. Due to the high likelihood of automated exploitation, systems running a vulnerable version should be considered potentially compromised and should be thoroughly investigated for indicators of a breach, such as backdoors or suspicious user accounts.