Zero-Days in WordPress Plugin Actively Exploited

The commercial Total Donations plugin for WordPress is impacted by multiple zero-day vulnerabilities that are being actively exploited in attacks, Wordfence security researchers report. 

The critical vulnerabilities impact all known versions of the plugin, including version 2.0.5, and allow malicious actors to gain administrative access to affected WordPress sites. Due to lack of response from the plugin’s developers, users are advised to completely remove the plugin from their installations. 

Developed by Calmar Webmedia, Total Donations is meant to make the receiving of online donations easy and provides site owners with the option to view progress bars and manage tasks and campaigns. 

The plugin, Wordfence has discovered, “registers a total of 88 unique AJAX actions into WordPress, each of which can be accessed by unauthenticated users by querying the typical /wp-admin/admin-ajax.php endpoint.” 

Furthermore, the security researchers discovered that 49 of these actions can be exploited to access sensitive data, make unauthorized changes to a site’s content and configuration, and even completely take over the website. 

Total Donations allows unauthenticated users to read and update arbitrary WordPress options, and Wordfence says that malicious actors are already exploiting this issue in the wild. 

The researchers identified two functions that can be exploited to read the value of any WordPress option and multiple functions that can be used to modify the values of these options. Two functions can be used to register new user accounts with administrative privileges on the impacted site. 

Total Donations, the researchers also note, can connect to Stripe as a payment processor and can leverage Stripe’s Plans API to schedule recurring donations. However, the functions used for the interaction feature no access control and can be exploited to tamper with recurring donations. 

An attacker could also route incoming donations to an entirely different Stripe account.

Total Donations also includes functionality to integrate its own campaigns with mailing lists, but the respective functions fail to “perform permissions checks before returning data associated with a connected account’s mailing lists.”

The plugin is impacted by various other vulnerabilities as well, allowing unauthenticated access to private and unpublished posts, leading to SQL injection, and allowing an attacker to send test emails to an arbitrary address (with automation, this could lead to Denial of Service (DoS) for outbound email). 

Wordfence reserved CVE-2019-6703 to track and reference these vulnerabilities collectively.

The researchers have been attempting to contact the plugin’s developers for the past couple of weeks but received no response. Thus, the vulnerabilities remain unpatched, despite being actively exploited.

“It is our recommendation that site owners using Total Donations delete–not just deactivate–the vulnerable plugin as soon as possible to secure their sites. The following article details the issues present in Total Donations, as well as the active attacks against the plugin,” Wordfence says. 

Related: Hackers Exploit Flaw in GDPR Compliance Plugin for WordPress

Related: WordPress Patches Privilege Escalation Vulnerabilities