WordPress sites under attack via zero-day in abandoned plugin
WordPress site owners using the “Total Donations” plugin are advised to delete the plugin from their servers to prevent hackers from exploiting an unpatched vulnerability in its code and take over affected sites.
Attacks using this zero-day have been observed over the past week by security experts from Defiant, the company behind the Wordfence firewall plugin for WordPress.
The zero-day affects all versions of Total Donations, a commercial plugin that site owners have bought from CodeCanyon over the past years, and have used to gather and manage donations from their respective userbases.
According to Defiant researcher Mikey Veenstra, the plugin’s code contains several design flaws that inherently expose the plugin and the WordPress site, as a whole, to external manipulation, even from unauthenticated users.
In a security alert published on Friday, Veenstra said the plugin contains an AJAX endpoint that can be queried by any remote unauthenticated attacker.
The AJAX endpoint resides in one of the plugin’s files, meaning that deactivating the plugin doesn’t eliminate the threat, as attackers could simply call that file directly, and only removing the plugin in its entirety will safeguard sites from exploitation.
This AJAX endpoint allows an attacker to change the value of any WordPress site’s core setting, change plugin-related settings, modify the destination account of donations received through the plugin, and even retrieve Mailchimp mailing lists (which the plugin also supports as side feature).
Defiant says that all attempts to contact the plugin’s developer have been unfruitful. The developer’s site appears to have gone inactive around May 2018, and the plugin’s CodeCanyon product listing has been deactivated about the same time after countless of users reported that they had not received plugin updates for several bugs they reported.
The Total Donations zero-day has received the CVE-2019-6703 identifier. Defiant said it would continue to track the ongoing attacks for any noteworthy activity.
Being a commercial offering, the plugin isn’t expected to have a huge userbase. However, the plugin is most likely installed on active sites with large userbases that could have afforded a commercial plugin in the first place, and which are also high-value targets for hacker groups.