According to a recent post written by researchers by the Wordfence Threat Intelligence team, there are serious concerns about a popular plugin used on WordPress sites. The plugin is Total Donations, and according to researchers, multiple zero-day vulnerabilities threaten site owners who utilize the plugin. The vulnerabilities are identified as CVE-2019-6703 and are dangerous due to the following explanation on the threat report:
Incorrect access control in migla_ajax_functions.php in the Calmar Webmedia Total Donations plugin through 2.0.5 for WordPress allows unauthenticated attackers to update arbitrary WordPress option values, leading to site takeover. These attackers can send requests to wp-admin/admin-ajax.php to call the miglaA_update_me action to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator.
The vulnerabilities were uncovered by researchers following analysis that showed certain queries from attackers. The way that query strings were entered into the access data, as researchers explain it, showed obvious malicious activity. According to the post written by Wordfence, the developers of Total Donations (Calmar Webmedia) were contacted numerous times by the researchers. Despite Wordfence’s efforts to warn the developers, all forms of communication were completely ignored and the website itself that Calmar Webmedia uses appears to be abandoned.
For this reason, Wordfence researchers believe that there is no hope for a patch and that the plugin should be deleted by site administrators who employ it. Their reasoning relates to how the “the-ajax-caller.php” script will execute any AJAX function that is passed, regardless if Total Donations is active or not. Additionally, they state that this situation can be “used to call any arbitrary function, regardless of whether it’s associated with the Total Donations plugin at all, posing additional security risks on its own.”
Wordfence stated toward the end of their report that they will continue to monitor any malicious activity associated with these zero-days and will keep users aware of any new developments.