Total Donations is a commercial plugin that helps sites create donation campaigns and accept payments from their visitors and is currently used by many non-profit and political organizations who want to accept donations from donors using a donation form.
Attacks on the Total Donations plugins have been tracked over the past week by the Wordfence Threat Intelligence team (Defiant). As it turns out, the Total Donations plugin for WordPress, sold on CodeCanyon, contains multiple severe zero-day vulnerabilities (tracked as CVE-2019-6703). The discovered vulnerabilities exist in all known versions of the plugin up to and including the latest version 2.0.5.
The plugin is no longer available for purchase from Envato’s CodeCanyon after countless users reported that they had not received any plugin updates for several bugs that were reported. The plugin’s official website seems to be inactive since around may 2018. However, no abandonment notice was circulated to the users of the plugin, meaning that many valuable WordPress websites are open to takeover. Removing the plugin (not deactivating it) immediately is of extremely high urgency. In case the plugin is only deactivated, the attacker would still have the ability to call the file directly, gaining unauthorized access to the vulnerable websites.
The Total Donations plugin registers a total of 88 unique AJAX actions (migla_ajax_functions.php) into WordPress and each of these can be accessed by unauthenticated users by querying the typical /wp-admin/admin-ajax.php endpoint.
The research team goes on by saying “49 of these 88 actions can be exploited by a malicious actor to access sensitive data, make unauthorized changes to a site’s content and configuration, or take over a vulnerable site entirely.”
The attackers could gain access and modify the set payment plans (Total Donations hooks into the Stripe API) and make modification to the mailing lists from either MailChimp or Constant Contact.
Attackers can send test emails to an arbitrary address, a malicious action that could be automated to trigger a Denial of Service (DoS) for outbound email, either by triggering a host’s outgoing mail relay limits, or by causing the victim site to be included on spam blacklists.
