WordPress Websites Attacked via Zero-Day in Abandoned Plugin

Many WordPress websites have come under attack via a zero-day flaw in an abandoned plugin.

The “Total Donations” plugin, which was earlier used by many WordPress website owners, has now started creating issues. Some hackers have started exploiting an unpatched vulnerability in the code of this plugin to attack WordPress websites.

Security experts at Defiant, the company behind the Wordfence plugin for WordPress, have detected the attacks happening via the zero-day in the “Total Donations” plugin. They have published details of the attack and have advised WordPress website owners using the Total Donations plugin to delete it from their servers.

A detailed blog post authored by Mikey Veenstra of the Wordfence Threat Intelligence team discusses various aspects of this attack. The post says, “The Wordfence Threat Intelligence team recently identified multiple critical vulnerabilities in the commercial Total Donations plugin for WordPress. These vulnerabilities, present in all known versions of the plugin up to and including 2.0.5, are being exploited by malicious actors to gain administrative access to affected WordPress sites. We have reserved CVE-2019-6703 to track and reference these vulnerabilities collectively.”

It further says, “It is our recommendation that site owners using Total Donations delete–not just deactivate–the vulnerable plugin as soon as possible to secure their sites.”

The zero-day vulnerability affects all versions of the Total Donations plugin; the plugin’s code, according to the researchers who have detected the flaw, has certain design flaws that would expose the plugin itself as well as the WordPress website to external manipulation. They have clarified that even unauthenticated users would be able to do this.

The Defiant blog post explains, “Total Donations registers a total of 88 unique AJAX actions into WordPress, each of which can be accessed by unauthenticated users by querying the typical /wp-admin/admin-ajax.php endpoint. We have determined that 49 of these 88 actions can be exploited by a malicious actor to access sensitive data, make unauthorized changes to a site’s content and configuration, or take over a vulnerable site entirely.”
The AJAX endpoint, which resides in one of the plugin’s files, can be exploited by any remote unauthenticated user to carry out various malicious activities.

ZDNet reports, “The AJAX endpoint resides in one of the plugin’s files, meaning that deactivating the plugin doesn’t eliminate the threat, as attackers could simply call that file directly, and only removing the plugin in its entirety will safeguard sites from exploitation.”
The report further explains, “This AJAX endpoint allows an attacker to change the value of any WordPress site’s core setting, change plugin-related settings, modify the destination account of donations received through the plugin, and even retrieve Mailchimp mailing lists (which the plugin also supports as side feature).”

The Total Donations plugin has other miscellaneous vulnerabilities as well. Mikey Veenstra writes, “A number of other vulnerabilities exist in the plugin, which are moot when an attacker can gain administrative access and perform any other activity manually from there.”
Defiant researchers tried all possible means to contact the developers of the Total Donations plugin, but it didn’t work out. The Defiant blog post states, “On January 16th, we worked to contact Total Donations’ development team, Calmar Webmedia, in order to work together to produce a patch and protect affected users. Unfortunately, the process of making this contact revealed that a solution may not ever be coming.”

Efforts to contact Calmar Webmedia didn’t work out and this lack of any developer response has led to the inference that the Total Donations plugin has been abandoned.

The Defiant blog post clarifies, “Because of the lack of any developer response, the apparent abandonment of the Total Donations plugin, and the active attacks on vulnerable sites, as per our published disclosure policy we have released this disclosure as a means of making the community aware of the threat.”

As already mentioned, the Defiant team is using the CVE-2019-6703 identifier to track the Total Donations vulnerabilities and all ongoing attacks for any kind of noteworthy activity. Though the plugin doesn’t seem to have a huge userbase, it’s most likely installed on many active WordPress websites with large userbases and hence many hacker groups would be looking to exploit the vulnerabilities in the plugin.