Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Hackers compromise WordPress sites via Zero-Day flaws in Total Donations plugin

Security experts at Wordfence security firms discovered WordPress Sites compromised via Zero-Day vulnerabilities in Total Donations Plugin The Total Donations WordPress plugin was abandoned by its developers for this reason security experts are recommending to delete it after they discovered multiple zero-day flaws that were exploited by threat actors. The news was reported by security […]

Total Donations

Security experts at Wordfence security firms discovered WordPress Sites compromised via Zero-Day vulnerabilities in Total Donations Plugin

The Total Donations WordPress plugin was abandoned by its developers for this reason security experts are recommending to delete it after they discovered multiple zero-day flaws that were exploited by threat actors.

The news was reported by security firm Wordfense that observed threat actors are exploiting the zero-day issued in the Total Donations WordPress plugin to gain administrative access to websites running the popular CMS.

Total Donations

Experts attempted to contact the development team behind the plugin, but they did not receive any reply.

“The Wordfence Threat Intelligence team recently identified multiple critical vulnerabilities in the commercial Total Donations plugin for WordPress. These vulnerabilities, present in all known versions of the plugin up to and including 2.0.5, are being exploited by malicious actors to gain administrative access to affected WordPress sites.” reads the security advisory published by Wordfence.

“It is our recommendation that site owners using Total Donations delete–not just deactivate–the vulnerable plugin as soon as possible to secure their sites,”
The zero-day flaws affect all known versions of the WordPress plugin up to and including 2.0.5.

The Total Donations WordPress plugin is currently used by many non-profit and political organizations to receive donations.

Experts tracked the flaws as CVE-2019-6703, they discovered that Total Donations registers a total of 88 unique AJAX actions into WordPress, that can be accessed by unauthenticated users by querying the typical /wp-admin/admin-ajax.php endpoint.

“We have determined that 49 of these 88 actions can be exploited by a malicious actor to access sensitive data, make unauthorized changes to a site’s content and configuration, or take over a vulnerable site entirely. ” continues the analysis.

The flaws could be exploited by an unauthenticated attacker to send requests to the AJAX event to call a specific action to update arbitrary WordPress option values and take over the website. This can be used to enable new user registration and set the default role for new users to Administrator.

The attackers can perform many other malicious actions, including accessing mailing lists from Constant Contact and Mailchimp, that can also modify or delete of recurring Stripe payment plans because
Total Donations can connect to Stripe as a payment processor.

Attackers can send test emails to an arbitrary address, a malicious action that could be automated to trigger a Denial of Service (DoS) for outbound email, either by triggering a host’s outgoing mail relay limits, or by causing the victim site to be included on spam blacklists.

The plugin is currently unavailable for purchase from Envato’s CodeCanyon, anyway, it displays a “Coming Soon” page since May 2018.

“These security flaws are considered zero-day vulnerabilities due to their active exploitation and a lack of an available patch,” researchers explained. “Unfortunately, the process of making this contact revealed that a solution may not ever be coming.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Total Donations, WordPress plugin)

[adrotate banner=”5″] [adrotate banner=”13″]