The Total Donations plugin creates a serious threat to the security of WordPress sites using it. The only way for the owners to protect themselves from hacker attacks is to delete the plugin from the servers. Just by doing this the owners of WordPress sites can prevent hackers from exploiting yet unpatched zero-day code vulnerability that allows cybercriminals to take control of vulnerable sites.
This zero-day vulnerability is not just present, yet Defiant cybersecurity experts have noticed a series of hacker attacks already exploiting it over the last week.
The issue is even worse because the flaw is affecting all versions of Total Donations. The plugin has been offered over the past years by CodeCanyon.
According to Defiant, the plugin code has several design vulnerabilities that make WordPress sites exposed to external manipulations and unauthenticated users.
The plugin contains an AJAX endpoint that can be remotely queried by any unauthenticated hacker. It is located in one of the plugin files, i.e. if we just disable the plugin, we will not eliminate the danger, as hackers can call that file directly. Only removing the plugin can completely protect the sites from attacks exploiting the newly discovered zero-day vulnerability.
Thanks to this AJAX endpoint hackers can modify the value of any WordPress site's core setting, change plugin-related settings, and the destination account of donations received through the plugin. But that's not all - exploiting this zero-day vulnerability, hackers can even retrieve Mailchimp mailing lists because the vulnerable plugin also supports as a side feature.
Defiant's cybersecurity experts have tried unsuccessfully to contact the plugin's developer. The developer's site is inactive from May 2018, as well as the product list of the plugin. At the same time, many users have started to complain that they have not received plugins updates for several vulnerabilities they reported to the developer.
Although the plugin may not have a huge amount of users, the danger is serious because it is probably installed on active sites with large userbases. Mostly such sites can afford a commercial plugin, and they have always been among the favorite targets of hacker groups.
This zero-day vulnerability of Total Donations is marked with the CVE-2019-6703 identifier, and Defiant intends to continue to closely monitor hacker attacks to track the expansion of the threat.