Zero-Day in Total Donations Plugin Allows to Compromise WordPress Websites

Delaware, USA – January 28, 2019 – A critical vulnerability was found in one of the popular WordPress commercial plugins, Wordfence reports. According to the published information, the Total Donations plugin contains an Ajax code which makes the whole WordPress site unsecured and enables remote malicious manipulations like changing core settings or even modifying the account for incoming donations.

Plugin deactivation doesn’t unable the malicious remote access since any unauthorized connection can be made by calling the file directly, so to assert security one should delete the entire plugin. The Zero-day vulnerability in Total Donations plugin has received the CVE-2019-6703 identifier however it doesn’t seem it will ever be patched since the developer’s site has been inactive. The vulnerability also provides the attackers with access to the huge amount of MailChimp mailing lists which can be used for DoS out mailing or for leading the victim site to the blacklists.

It is also worth noting that Drupal patched the recently discovered critical vulnerabilities in the Drupal core, one of which allows attackers to bypass security restrictions on the unpatched system, and the exploitation of the second one leads to arbitrary PHP code execution. Last year, researchers documented several massive campaigns targeted at websites using Drupal CMS. Adversaries exploited patched vulnerabilities to install backdoors and cryptocurrency miners. Coinminers remain the most widespread threat since the beginning of 2018, and the web resources of organizations are constantly under the gun of cybercriminals. For timely detection of attacks on your publicly accessible web resources, you can use Web Application Security Framework rule pack for ArcSight: