Zero-Day Vulnerability in Total Donations Plugin Could Expose WordPress Websites to Compromise

Owners and administrators of WordPress websites that use the “Total Donations” plugin are advised to remove the plugin after a zero-day vulnerability and design flaws were seen actively exploited in the wild. Total Donations is a plugin that lets non-profit, political, and religious organizations accept donations. According to Wordfence, the security flaws affect all versions of the plugin, including version 2.0.5. Successfully exploiting the zero-day (designated as CVE-2019-6703) can let unauthenticated attackers remotely modify values in the donation form.

[RELATED NEWS: Unpatched WordPress Vulnerability Leads to Deletion, Code Execution]

The zero-day is related to the way Asynchronous JavaScript and XML (AJAX) incorrectly carries out the plugin's access control function. AJAX is a web development technique used for creating dynamic web pages and applications. Wordfence noted that 49 of 88 AJAX actions in Total Donations could be exploited by hackers to access and steal data, alter the site’s content and settings, or remotely hijack the website.

It also appears that Total Donation has been abandoned. The researchers reached out to its developers but have received neither acknowledgment nor response as of this writing. For instance, it was last updated on June 8, 2016 on CodeCanyon (a marketplace for web development plugins and code), where Total Donations has since been listed as unavailable. This means that an official patch for the vulnerabilities might not be released.  

[READ: WordPress Woes: A Fake Plugin and Three Zero-Day Vulnerabilities Found]

Around 33 percent of all websites are powered by the WordPress content management system (CMS). The scale of sensitive or mission-critical data they store and manage make them an obvious target for cybercriminals and hackers. In December 2018, for instance, a 20,000-strong botnet of compromised WordPress websites was found using dictionary attacks (using preprogrammed credentials) to break into and infect other WordPress websites. 

Apart from information theft and remote control, WordPress websites were also hacked to deliver ransomware (or lure victims to go into the ransomware-as-a-service business), redirect unknowing users to exploit kits, deface other websites, phishing kits, and even backdoors. Many of these attacks stemmed from security flaws in plugins. In fact, 98 percent of vulnerabilities in WordPress are reportedly related to third-party plugins, which are supposed to enrich website functionalities and features.

[RELATED NEWS: Cross-site Scripting Vulnerability in WordPress Jetpack Plug-in Puts Over a Million WordPress Sites at Risk]

WordPress isn’t the only target. Popular content management systems like Joomla, Drupal, and Magento were also targeted and used as vehicles to deliver a variety of threats — from ransomware to cryptocurrency-mining and payment data-stealing malware.

While these platforms provide intuitive means to improve user experience and streamline a website or web application’s functionalities, securing them is paramount. Using and juggling between different — and more often than not, outdated — third-party components can make the website or web application that uses them susceptible to attacks. Web developers, programmers, and administrators should practice security by design. Regularly update and patch the CMS and its plugins. In the case of Total Donations, delete or disable outdated and vulnerable third-party components. Enforce the principle of least privilege. Consistently test the website and its components against exploitable flaws. Reduce the website or application’s attack surface, and employ multilayered security mechanisms that can help defend against threats.

Trend Micro’s Deep Discovery Inspector protects customers from threats that may exploit CVE-2019-6703 via this DDI Rule:

  • 2810: CVE-2019-6703 WordPress Total Donations Exploit - HTTP (Request)
The Trend Micro Deep Security solution protects user systems from threats that might exploit CVE-2019-6703 via the following deep packet inspection (DPI) rule:
  • 1009487 - WordPress Total Donations Plugin Remote Administrative Access Vulnerability (CVE-2019-6703)

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.