Zero-Days in WordPress Plugin Actively Exploited
(Jan 28, 2019)
The WordPress plugin, “Total Donations,” was found to be affected by several zero-day vulnerabilities that could allow unauthorised actors administrative access to affected WordPress sites, according to Wordfence. The plugin is intended to make receiving online donations easier and allow the site owner to view progress bars as well as manage tasks and campaigns. 88 unique AJAX actions can be accessed by unauthorised users, 49 of which can be exploited to see sensitive data and make unauthorised changes to a site’s content and configuration. The vulnerabilities are tracked as “CVE-2019-6703.” The plugin’s developers have yet to respond to security researchers contacting them, and no patch has been announced to be in the works.
Recommendation: Wordfence suggests users who have this plugin on their site completely delete it from their site, going further than simply deactivating it. WordPress website owners keep their installations up-to-date, along with any additional plug-ins. Ensure any private documents containing Personally Identifiable Information (PII) is properly secured with restricted access, and is away from public view. The leak of PII allows for those people to be susceptible to phishing and data/credit theft.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.