Hackers compromise WordPress sites via Zero-Day flaws in Total Donations plugin

Security experts at Wordfence security firms discovered WordPress Sites compromised via Zero-Day vulnerabilities in Total Donations Plugin

The Total Donations WordPress plugin was abandoned by its developers for this reason security experts are recommending to delete it after they discovered multiple zero-day flaws that were exploited by threat actors.

The news was reported by security firm Wordfense that observed threat actors are exploiting the zero-day issued in the Total Donations WordPress plugin to gain administrative access to websites running the popular CMS.

Experts attempted to contact the development team behind the plugin, but they did not receive any reply.

“The Wordfence Threat Intelligence team recently identified multiple critical vulnerabilities in the commercial Total Donations plugin for WordPress. These vulnerabilities, present in all known versions of the plugin up to and including 2.0.5, are being exploited by malicious actors to gain administrative access to affected WordPress sites.” reads the security advisory published by Wordfence.

“It is our recommendation that site owners using Total Donations delete–not just deactivate–the vulnerable plugin as soon as possible to secure their sites,”
The zero-day flaws affect all known versions of the WordPress plugin up to and including 2.0.5.

The Total Donations WordPress plugin is currently used by many non-profit and political organizations to receive donations.

Experts tracked the flaws as CVE-2019-6703, they discovered that Total Donations registers a total of 88 unique AJAX actions into WordPress, that can be accessed by unauthenticated users by querying the typical /wp-admin/admin-ajax.php endpoint.

“We have determined that 49 of these 88 actions can be exploited by a malicious actor to access sensitive data, make unauthorized changes to a site’s content and configuration, or take over a vulnerable site entirely. ” continues the analysis.

The flaws could be exploited by an unauthenticated attacker to send requests to the AJAX event to call a specific action to update arbitrary WordPress option values and take over the website. This can be used to enable new user registration and set the default role for new users to Administrator.

The attackers can perform many other malicious actions, including accessing mailing lists from Constant Contact and Mailchimp, that can also modify or delete of recurring Stripe payment plans because
Total Donations can connect to Stripe as a payment processor.

Attackers can send test emails to an arbitrary address, a malicious action that could be automated to trigger a Denial of Service (DoS) for outbound email, either by triggering a host’s outgoing mail relay limits, or by causing the victim site to be included on spam blacklists.

The plugin is currently unavailable for purchase from Envato’s CodeCanyon, anyway, it displays a “Coming Soon” page since May 2018.

“These security flaws are considered zero-day vulnerabilities due to their active exploitation and a lack of an available patch,” researchers explained. “Unfortunately, the process of making this contact revealed that a solution may not ever be coming.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Total Donations, WordPress plugin)

[adrotate banner=”5″] [adrotate banner=”13″]