Hacking

Hackers compromise WordPress sites via Zero-Day flaws in Total Donations plugin

Security experts at Wordfence security firms discovered WordPress Sites compromised via Zero-Day vulnerabilities in Total Donations Plugin

The Total Donations WordPress plugin was abandoned by its developers for this reason security experts are recommending to delete it after they discovered multiple zero-day flaws that were exploited by threat actors.

The news was reported by security firm Wordfense that observed threat actors are exploiting the zero-day issued in the Total Donations WordPress plugin to gain administrative access to websites running the popular CMS.

Experts attempted to contact the development team behind the plugin, but they did not receive any reply.

“The Wordfence Threat Intelligence team recently identified multiple critical vulnerabilities in the commercial Total Donations plugin for WordPress. These vulnerabilities, present in all known versions of the plugin up to and including 2.0.5, are being exploited by malicious actors to gain administrative access to affected WordPress sites.” reads the security advisory published by Wordfence.

“It is our recommendation that site owners using Total Donations delete–not just deactivate–the vulnerable plugin as soon as possible to secure their sites,”
The zero-day flaws affect all known versions of the WordPress plugin up to and including 2.0.5.

The Total Donations WordPress plugin is currently used by many non-profit and political organizations to receive donations.

Experts tracked the flaws as CVE-2019-6703, they discovered that Total Donations registers a total of 88 unique AJAX actions into WordPress, that can be accessed by unauthenticated users by querying the typical /wp-admin/admin-ajax.php endpoint.

“We have determined that 49 of these 88 actions can be exploited by a malicious actor to access sensitive data, make unauthorized changes to a site’s content and configuration, or take over a vulnerable site entirely. ” continues the analysis.

The flaws could be exploited by an unauthenticated attacker to send requests to the AJAX event to call a specific action to update arbitrary WordPress option values and take over the website. This can be used to enable new user registration and set the default role for new users to Administrator.

The attackers can perform many other malicious actions, including accessing mailing lists from Constant Contact and Mailchimp, that can also modify or delete of recurring Stripe payment plans because
Total Donations can connect to Stripe as a payment processor.

Attackers can send test emails to an arbitrary address, a malicious action that could be automated to trigger a Denial of Service (DoS) for outbound email, either by triggering a host’s outgoing mail relay limits, or by causing the victim site to be included on spam blacklists.

The plugin is currently unavailable for purchase from Envato’s CodeCanyon, anyway, it displays a “Coming Soon” page since May 2018.

“These security flaws are considered zero-day vulnerabilities due to their active exploitation and a lack of an available patch,” researchers explained. “Unfortunately, the process of making this contact revealed that a solution may not ever be coming.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Total Donations, WordPress plugin)

[adrotate banner=”5″] [adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

12 mins ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

14 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

21 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.