Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Zero-Days in WordPress Plugin Actively Exploited

The commercial Total Donations plugin for WordPress is impacted by multiple zero-day vulnerabilities that are being actively exploited in attacks, Wordfence security researchers report. 

The commercial Total Donations plugin for WordPress is impacted by multiple zero-day vulnerabilities that are being actively exploited in attacks, Wordfence security researchers report. 

The critical vulnerabilities impact all known versions of the plugin, including version 2.0.5, and allow malicious actors to gain administrative access to affected WordPress sites. Due to lack of response from the plugin’s developers, users are advised to completely remove the plugin from their installations. 

Developed by Calmar Webmedia, Total Donations is meant to make the receiving of online donations easy and provides site owners with the option to view progress bars and manage tasks and campaigns. 

The plugin, Wordfence has discovered, “registers a total of 88 unique AJAX actions into WordPress, each of which can be accessed by unauthenticated users by querying the typical /wp-admin/admin-ajax.php endpoint.” 

Furthermore, the security researchers discovered that 49 of these actions can be exploited to access sensitive data, make unauthorized changes to a site’s content and configuration, and even completely take over the website. 

Total Donations allows unauthenticated users to read and update arbitrary WordPress options, and Wordfence says that malicious actors are already exploiting this issue in the wild. 

The researchers identified two functions that can be exploited to read the value of any WordPress option and multiple functions that can be used to modify the values of these options. Two functions can be used to register new user accounts with administrative privileges on the impacted site. 

Advertisement. Scroll to continue reading.

Total Donations, the researchers also note, can connect to Stripe as a payment processor and can leverage Stripe’s Plans API to schedule recurring donations. However, the functions used for the interaction feature no access control and can be exploited to tamper with recurring donations. 

An attacker could also route incoming donations to an entirely different Stripe account.

Total Donations also includes functionality to integrate its own campaigns with mailing lists, but the respective functions fail to “perform permissions checks before returning data associated with a connected account’s mailing lists.”

The plugin is impacted by various other vulnerabilities as well, allowing unauthenticated access to private and unpublished posts, leading to SQL injection, and allowing an attacker to send test emails to an arbitrary address (with automation, this could lead to Denial of Service (DoS) for outbound email). 

Wordfence reserved CVE-2019-6703 to track and reference these vulnerabilities collectively.

The researchers have been attempting to contact the plugin’s developers for the past couple of weeks but received no response. Thus, the vulnerabilities remain unpatched, despite being actively exploited.

“It is our recommendation that site owners using Total Donations delete–not just deactivate–the vulnerable plugin as soon as possible to secure their sites. The following article details the issues present in Total Donations, as well as the active attacks against the plugin,” Wordfence says. 

Related: Hackers Exploit Flaw in GDPR Compliance Plugin for WordPress

Related: WordPress Patches Privilege Escalation Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.