WordPress sites under attack via zero-day in abandoned plugin

WordPress site owners using the "Total Donations" plugin are advised to delete the plugin from their servers to prevent hackers from exploiting an unpatched vulnerability in its code and take over affected sites.

Also: Zero-day in popular WordPress plugin exploited in the wild 

Attacks using this zero-day have been observed over the past week by security experts from Defiant, the company behind the Wordfence firewall plugin for WordPress.

The zero-day affects all versions of Total Donations, a commercial plugin that site owners have bought from CodeCanyon over the past years, and have used to gather and manage donations from their respective userbases.

According to Defiant researcher Mikey Veenstra, the plugin's code contains several design flaws that inherently expose the plugin and the WordPress site, as a whole, to external manipulation, even from unauthenticated users.

In a security alert published on Friday, Veenstra said the plugin contains an AJAX endpoint that can be queried by any remote unauthenticated attacker.

The AJAX endpoint resides in one of the plugin's files, meaning that deactivating the plugin doesn't eliminate the threat, as attackers could simply call that file directly, and only removing the plugin in its entirety will safeguard sites from exploitation.

This AJAX endpoint allows an attacker to change the value of any WordPress site's core setting, change plugin-related settings, modify the destination account of donations received through the plugin, and even retrieve Mailchimp mailing lists (which the plugin also supports as side feature).

Defiant says that all attempts to contact the plugin's developer have been unfruitful. The developer's site appears to have gone inactive around May 2018, and the plugin's CodeCanyon product listing has been deactivated about the same time after countless of users reported that they had not received plugin updates for several bugs they reported.

Must read

• The Best Web Hosting Providers for 2019 (CNET)
  
• The best WordPress plugins: A guide for businesses (TechRepublic)
  

The Total Donations zero-day has received the CVE-2019-6703 identifier. Defiant said it would continue to track the ongoing attacks for any noteworthy activity.

Being a commercial offering, the plugin isn't expected to have a huge userbase. However, the plugin is most likely installed on active sites with large userbases that could have afforded a commercial plugin in the first place, and which are also high-value targets for hacker groups.

WordPress 5.0 is out. Here's a tour of the new features!

Related stories:

• Second WordPress hacking campaign underway
  
• Thousands of WordPress sites backdoored with malicious code
  
• WordPress 5.0 is out. Here's a tour of the new features!
  

More security coverage:

• DHS issues security alert about recent DNS hijacking attacks
• New ransomware strain is locking up Bitcoin mining rigs in China
• Concerns raised about WordPress' new 'White Screen Of Death' protection feature
• Malvertising campaign targets Apple users with malicious code hidden in images
  
• Hackers are going after Cisco RV320/RV325 routers using a new exploit
• Internet experiment goes wrong, takes down a bunch of Linux routers
• Brave browser can now show ads, and soon you'll get 70% of the money CNET
  
• Why cryptojacking will become an even larger problem in 2019 TechRepublic