WordPress sites using the Total Donations plugin were hit with a zero-day attack due to multiple design flaws in the code. The Wordfence Threat Intelligence team found several critical vulnerabilities in the plugin on January 16th.
All known versions up to 2.0.5 were affected in the attack. Cybercriminals exploited the plugin by gaining administrative access to the affected sites. Identified as CVE-2019-6703, the vulnerability allows malicious actors to “update arbitrary WordPress option values”, thus taking over the site. Further, attackers can create new user accounts and set new accounts to administrator.
Security analyst, Nate Smith, at WordPress found the zero-day when he noticed several suspicious AJAX actions happening on the access log page. 88 unique AJAX actions were identified in the plugin, all of which were accessible by unauthorized users. Of the 88 actions, 49 could be exploited by the attackers. Thus, allowing them to access private data, make changes to the site, and to take over the site.
After identifying the ongoing attack, Wordfence contacted the Total Donation’s development team, Calmar Webmedia. However, after several attempts they were unable to get in touch with the development team.
Instead Wordfence found that the homepage for the plugin has been set to ‘Coming Soon’ since May 2018. Further, the plugin is no longer available for purchase.
In the security alert, Wordfence stated:
“The most common issue cited in these reviews is a lack of product support, with complaints up to three years old detailing a complete lack of responsiveness from the plugin’s developers. As a security researcher hoping to make urgent contact regarding an active threat, this was an early bad omen.”
The intelligence team at Wordfence is recommending for all site owners to delete the Total Donations plugin. Simply, deactivating the plugin will not entirely remove the vulnerabilities. This is due to the developer’s decision to build the AJAX endpoint directly into the plugin’s files. The specific file can be called directly, even if the plugin is deactivated.
Date: February 12, 2019