- The zero-day affects all versions of Total Donations plugin, a commercial plugin that is used to gather and manage donations.
- The plugin’s code contains several design flaws that inherently expose the plugin and the WordPress site as a whole to external manipulation.
WordPress site owners are being alerted about an unpatched vulnerability discovered in ‘Total Donations’ plugin. The vulnerability, identified as CVE-2019-6703, could allow attackers to take over affected sites.
Security expert Mikey Veenstra from Defiant observed that attackers have been using this zero-day vulnerability to infect several WordPress sites over the past week.
The zero-day affects all versions of Total Donations plugin, a commercial plugin that is used to gather and manage donations from the respective user bases.
Giving more details, Veenstra explained that the plugin’s code contains several design flaws that inherently expose the plugin and the WordPress site as a whole to external manipulation.
“Searching the site’s codebase for the strings migla_getme and miglaA_update_me revealed the installed Total Donations plugin, and we quickly identified the exploited vulnerabilities as well as the attacker’s workflow,” said Veenstra in a blog post.
Where does the flaw exist?
The plugin in question contains an AJAX endpoint that can be queried by any unauthorized person.
“Total Donations registers a total of 88 unique AJAX actions into WordPress, each of which can be accessed by unauthenticated users by querying the typical /wp-admin/admin-ajax.php endpoint. We have determined that 49 of these 88 actions can be exploited by a malicious actor to access sensitive data, make unauthorized changes to a site’s content and configuration, or take over a vulnerable site entirely,” Veenstra added.
The AJAX endpoint allows an attacker to change the core setting value of any WordPress site. It can also enable the hacker to modify the destination account of donations received through the plugin and even retrieve Mailchimp mailing lists.
Defiant said that the developer’s site for the plugin appears to have gone inactive since May 2018. As there is no security patch for the vulnerability, users are therefore requested to delete or deactivate the plugin as soon as possible in order to secure their sites.