WordPress Zero-Day Attack – Total Donations Plugin
If you are running “Total Donations” we highly advise that you remove the application as soon as possible. A new exploit has been found and this zero-day affects all versions of Total Donations, a commercial plugin that site owners may have purchased over the past few years, and have used to gather and manage donations from their respective user bases.
According to Defiant researcher Mikey Veenstra, the plugin’s code contains several design flaws that inherently expose the plugin and the WordPress site, as a whole, to external manipulation, even from unauthenticated users. In a security alert published on Friday, Veenstra said the plugin contains an AJAX endpoint that can be queried by any remote unauthenticated attacker.
The AJAX endpoint resides in one of the plugin’s files, meaning that deactivating the plugin doesn’t eliminate the threat, as attackers could simply call that file directly, and only removing the plugin in its entirety will safeguard sites from exploitation.
This AJAX endpoint allows an attacker to change the value of any WordPress site’s core setting, change plugin-related settings, modify the destination account of donations received through the plugin, and even retrieve Mailchimp mailing lists (which the plugin also supports as side feature).
Defiant says that all attempts to contact the plugin’s developer have been unfruitful. The developer’s site appears to have gone inactive around May 2018, and the plugin’s CodeCanyon product listing has been deactivated about the same time after countless of users reported that they had not received plugin updates for several bugs they reported.
The Total Donations zero-day has received the CVE-2019-6703 identifier. Defiant said it would continue to track the ongoing attacks for any noteworthy activity.
Chrisorah Infinite Customers – Protected
Late last year we became aware that the Total Donations plugin had become “abandonware” and noted concerns with the plugins code. We immediately scanned all websites under the Chrisroah Infinite umbrella and noted any websites that had Total Donations installed (12 in all). We reached out to our clients to discuss alternate options. We’ve since then removed and replaced all instances of Total Donations with our recommended choice, GiveWP. GiveWP is actively managed and maintained by Impress.org.