WordPress sites attacked via a zero-day in an abandoned plugin

Owners of WordPress sites using the “Total Donations” plugin are advised to remove the application from their servers to prevent hackers from exploiting an unpatched vulnerability in its code and taking control of the affected sites.

Attacks using this zero-day were observed last week by security experts at Defiant, the company behind the Wordfence firewall plugin for WordPress.

Paid plugin discontinued as of May 2018

The zero-day affects all versions of Total Donations, a commercial plugin that site owners have purchased from CodeCanyon over the past few years, and which they use to collect and manage donations from their respective user bases.

According to Defiant researcher Mikey Veenstra, the plugin’s code contains several design flaws that expose the plugin and the WordPress site, as a whole, to external manipulation, even by unauthenticated users.

In a security alert issued Friday, Veenstra said the plugin contains an AJAX endpoint that can be queried by any unauthenticated remote attacker.

The AJAX endpoint resides in one of the plugin’s files, which means that disabling the plugin does not eliminate the threat. Attackers could simply call this file directly, and only removing the entire plugin will protect sites from exploitation.

This AJAX endpoint allows an attacker to change the value of a WordPress site’s basic settings, change plugin-related settings, change the destination account for donations received via the plugin, and even retrieve Mailchimp mailing lists (which the plugin also supports as a secondary function).

Defiant reports that all attempts to contact the plugin developer have been unsuccessful. The developer’s site appears to have become inactive around May 2018, and CodeCanyon’s product listing was disabled around the same time. Countless users were reporting that they were no longer receiving updates from the plugin for several identified bugs.

As a paid plugin, it may have a limited number of users. However, the plugin is most likely installed on active sites with large user bases, which are likely to be targets of interest for hacker groups.


See also  This flaw in a WordPress plugin allows you to take control over sites

Related Articles

Back to top button