Owners and administrators of WordPress websites that use the “Total Donations” plugin are advised to remove the plugin after a zero-day vulnerability and design flaws were seen actively exploited in the wild. Total Donations is a plugin that lets non-profit, political, and religious organizations accept donations. According to Wordfence, the security flaws affect all versions of the plugin, including version 2.0.5. Successfully exploiting the zero-day (designated as CVE-2019-6703) can let unauthenticated attackers remotely modify values in the donation form.
It also appears that Total Donation has been abandoned. The researchers reached out to its developers but have received neither acknowledgment nor response as of this writing. For instance, it was last updated on June 8, 2016 on CodeCanyon (a marketplace for web development plugins and code), where Total Donations has since been listed as unavailable. This means that an official patch for the vulnerabilities might not be released.
Around 33 percent of all websites are powered by the WordPress content management system (CMS). The scale of sensitive or mission-critical data they store and manage make them an obvious target for cybercriminals and hackers. In December 2018, for instance, a 20,000-strong botnet of compromised WordPress websites was found using dictionary attacks (using preprogrammed credentials) to break into and infect other WordPress websites.
Apart from information theft and remote control, WordPress websites were also hacked to deliver ransomware (or lure victims to go into the ransomware-as-a-service business), redirect unknowing users to exploit kits, deface other websites, phishing kits, and even backdoors. Many of these attacks stemmed from security flaws in plugins. In fact, 98 percent of vulnerabilities in WordPress are reportedly related to third-party plugins, which are supposed to enrich website functionalities and features.
While these platforms provide intuitive means to improve user experience and streamline a website or web application’s functionalities, securing them is paramount. Using and juggling between different — and more often than not, outdated — third-party components can make the website or web application that uses them susceptible to attacks. Web developers, programmers, and administrators should practice security by design. Regularly update and patch the CMS and its plugins. In the case of Total Donations, delete or disable outdated and vulnerable third-party components. Enforce the principle of least privilege. Consistently test the website and its components against exploitable flaws. Reduce the website or application’s attack surface, and employ multilayered security mechanisms that can help defend against threats.
Trend Micro’s Deep Discovery Inspector protects customers from threats that may exploit CVE-2019-6703 via this DDI Rule:
2810: CVE-2019-6703 WordPress Total Donations Exploit - HTTP (Request)
TheTrend Micro Deep Security solution protects user systems from threats that might exploit CVE-2019-6703 via the following deep packet inspection (DPI) rule: