WordPress sites under attack via the Total Donations plugin

Total Donations

WordPress site owners using the “Total Donations “plugin are advised to remove the plugin from their servers in order to prevent hackers from exploiting an unpatched vulnerability in their code and from taking over the sites concerned.

In the past week, security experts from Defiant, the company behind the WordFence plugin for WordPress, have observed attacks using this zero-day. The zero-day applies to all Total Donations versions, a commercial plugin that website owners have purchased from CodeCanyon in recent years and used to collect and manage donations from their respective user bases.

According to Defiant researcher Mikey Veenstra, the code of the plugin contains several design flaws which inherently expose the plugin and the WordPress site to external manipulation even by non-authenticated users in general. Veenstra said in a security alert published on Friday that the plugin contains an AJAX endpoint that can be queried by an unauthenticated remote attacker. Steps to wordpress site hacked redirecting to another site issue.

The AJAX endpoint is located in one of the plugin files, which means that disabling the plugin does not eliminate the threat, as attackers can simply call that file directly, and only removing the plugin in its entirety protects sites from exploitation. This AJAX endpoint allows an attacker to change the value of the core setting of any WordPress site, change the plugin settings, modify the destination account of donations received via the plugin and even retrieve Mailchimp mailing lists (which the plugin supports as a side feature). Defiant says that every attempt to contact the developer of the plugin was unsuccessful.

The developer’s website appears to have been inactive around May 2018, and the CodeCanyon product listing of the plugin has been deactivated approximately the same time after countless users have reported that they have not received plugin updates for several bugs.

The zero-day total donation received the CVE-2019-6703 ID. Defiant said that he would keep track of the ongoing attacks for any notable activity. The plugin is not expected to have a large user base because it is a commercial offer.

The plugin is however most likely installed on active sites with large user bases, which could have provided a commercial plugin in the first place and which are also high-value targets for hackers.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.