Hackers compromise WordPress sites via Zero-Day flaws in Total Donations plugin


Security experts at Wordfence security firms discovered WordPress Sites compromised via Zero-Day vulnerabilities in Total Donations Plugin

The Total Donations WordPress plugin was abandoned by its developers for this reason security experts are recommending to delete it after they discovered multiple zero-day flaws that were exploited by threat actors.

The news was reported by security firm Wordfense that observed threat actors are exploiting the zero-day issued in the Total Donations WordPress plugin to gain administrative access to websites running the popular CMS.

Total Donations

Experts attempted to contact the development team behind the plugin, but they did not receive any reply.

“The Wordfence Threat Intelligence team recently identified multiple critical vulnerabilities in the commercial Total Donations plugin for WordPress. These vulnerabilities, present in all known versions of the plugin up to and including 2.0.5, are being exploited by malicious actors to gain administrative access to affected WordPress sites.” reads the security advisory published by Wordfence.

The zero-day flaws affect all known versions of the WordPress plugin up to and including 2.0.5.

The Total Donations WordPress plugin is currently used by many non-profit and political organizations to receive donations.

Experts tracked the flaws as CVE-2019-6703, they discovered that Total Donations registers a total of 88 unique AJAX actions into WordPress, that can be accessed by unauthenticated users by querying the typical /wp-admin/admin-ajax.php endpoint.

“We have determined that 49 of these 88 actions can be exploited by a malicious actor to access sensitive data, make unauthorized changes to a site’s content and configuration, or take over a vulnerable site entirely. ” continues the analysis.

The flaws could be exploited by an unauthenticated attacker to send requests to the AJAX event to call a specific action to update arbitrary WordPress option values and take over the website. This can be used to enable new user registration and set the default role for new users to Administrator.

The attackers can perform many other malicious actions, including accessing mailing lists from Constant Contact and Mailchimp, that can also modify or delete of recurring Stripe payment plans because 
Total Donations can connect to Stripe as a payment processor.

Attackers can send test emails to an arbitrary address, a malicious action that could be automated to trigger a Denial of Service (DoS) for outbound email, either by triggering a host’s outgoing mail relay limits, or by causing the victim site to be included on spam blacklists.

The plugin is currently unavailable for purchase from Envato’s CodeCanyon, anyway, it displays a “Coming Soon” page since May 2018.


Laisser un commentaire

Next Post

Dailymotion forces password reset in response to credential stuffing Attack

The popular video sharing website Dailymotion announced that some accounts were accessed by hackers as result of a massive credential stuffing attack. On Friday, the popular video sharing website Dailymotion announced that some accounts were hit by hackers. The company discovered unauthorized access attempts resulting from credential stuffingactivity. The company blocked the […]