Best Top Reviews Online

Users of WordPress Urged to Eliminate Zero-Day-Ridden Plugin

The Total Donations plugin’s development team appears to have abandoned it, as they did not respond to researchers’ inquiries.

Following the discovery of multiple zero-day vulnerabilities being exploited by a malicious actor, researchers advise WordPress site owners to remove a compromised plugin.

Wordfence researchers reported on Friday that malicious actors are exploiting vulnerabilities in the Total Donations plugin to gain administrative access to vulnerable WordPress websites. In addition, the plugin appears to be abandoned, and despite repeated attempts to contact its developers at Calmar Webmedia about the flaws, there has been no response.

Wordfence’s threat analyst, Mikey Veenstra, wrote in a Friday blog post that site owners using the Total Donations plugin should delete, not just deactivate, it as soon as possible to secure their sites.

Total Donation is a plugin for WordPress that non-profits, churches, and political organizations use to accept donations from donors via a donation form. According to Wordfence researchers, the newly discovered vulnerabilities exist in all known versions of the plugin up to 2.0.5.

The zero-day vulnerability in the plugin, CVE-2019-6703, is caused by a flawed access control function in the AJAX technique of the website’s access log. AJAX (Asynchronous JavaScript and XML) is a technique for developing dynamic and speedy web pages.

In essence, the vulnerability permits unauthenticated attackers to modify arbitrary WordPress option values, resulting in site takeover. Attackers can send requests to the AJAX event in order to invoke a specific action (miglaA update me), which then modifies arbitrary options on affected sites.

This can be used to enable new user registration and make Administrator the default role for new users.

From there, bad actors can engage in additional malicious activity, such as gaining access to mailing lists from Constant Contact and Mailchimp. Access, modification, or deletion of recurring Stripe payment plans, as well as access to private and unpublished donation reports, are examples of additional inappropriate conduct.

In addition, “Multiple actions… can be exploited by an attacker to send test emails to any address,” according to the researchers. This can be automated as a Denial of Service (DoS) for outbound emails, either by triggering a host’s outgoing mail relay limits or by causing the victim’s website to be listed on spam blacklists.

(No) Developer Response

The plugin itself appears to have been abandoned, making matters worse.

Wordfence researchers attempted to contact the Vancouver-based development team for Total Donations, Calmar Webmedia, on January 16 but received no response or acknowledgment.

Site owners purchased the plugin from Envato’s CodeCanyon, which no longer offers it for sale but displays a “Coming Soon” page with a mockup image of a new website.

The upload path of this image, according to researchers, indicates that the site has been inactive since May 2018.

Researchers stated, “These security flaws are considered zero-day vulnerabilities due to their active exploitation and lack of a patch.” “Unfortunately, the process of making this contact revealed that there may never be a resolution.”

Before it was removed from the CodeCanyon marketplace, the plugin generated just over 2,500 sales, according to Veenstra.

“However, due to the fact that it’s been made available on various nulled plugin sites and is apparently installed on other Calmar Webmedia-developed websites, it’s difficult to determine how many additional sites obtained it from an unidentified source,” he said.

Calmar Webmedia has not yet responded to Threatpost’s request for comment.

WordPress Flaws

WordPress continues to be afflicted by flaws, particularly those that emanate from plugins.

In fact, according to a January Imperva report, nearly all (98%) WordPress vulnerabilities are related to plugins that extend a website or blog’s functionality and features.

Researchers at Imperva stated in their report, “Anyone can create a plugin and publish it — WordPress is open source, easy to manage, and there is no enforcement or proper process that mandates minimum security standards (e.g. code analysis).” Therefore, WordPress plugins are vulnerable to security flaws.

This has resulted in a number of malicious attacks – In December, it was discovered that WordPress websites are the target of a series of attacks linked to a 20,000-strong army of infected WordPress websites. Less than a week after the release of version 5.0, WordPress 5.0 users were urged to update their CMS software to fix a number of critical bugs.

Why Trust Us?

Best Top Reviews Online was established in 2018 to provide our readers with detailed, truthful, and impartial advice on what to buy. We now have millions of monthly users from all over the world and annually evaluate over a thousand products.

The above article was written by the BestTopReviewsOnline team, which consists of some of the most knowledgeable technical experts in the United States. Our team consists of highly regarded writers with vast experience in smartphones, computer components, technology apps, security, and photography, among other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus

Get more info



Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.

Disclaimer is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to As an Amazon Associate I earn from qualifying purchases.


Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of