Researchers are urging WordPress site owners to delete a compromised plugin after multiple zero-day vulnerabilities were discovered being exploited by a malicious actor.
Researchers at Wordfence said on Friday that flaws in the plugin, Total Donations, are being exploited by malicious actors to gain administrative access to impacted WordPress sites. Making matters worse, the plugin appears to be abandoned, and there was no response from its developers at Calmar Webmedia about the flaws despite multiple attempts to contact them.
“It is our recommendation that site owners using Total Donations delete–not just deactivate–the vulnerable plugin as soon as possible to secure their sites,” Mikey Veenstra, threat analyst at Wordfence wrote in a Friday post.
Total Donations is a WordPress plugin used by non-profits, churches or political organizations who want to accept donations from donors using a donation form. The newly discovered vulnerabilities exist in all known versions of the plugin up to and including 2.0.5, Wordfence researchers said.
The zero day in the plugin, CVE-2019-6703, stems from an incorrect access control function in the AJAX technique of the site’s access log. AJAX (Asynchronous JavaScript and XML) is a tactic for creating fast and dynamic web pages.
Essentially the vulnerability allows unauthenticated attackers to update arbitrary WordPress option values, leading to site takeover. Attackers can send requests to the AJAX event to call a certain action (miglaA_update_me) that then changes arbitrary options on affected sites.
This can be used to enable new user registration and set the default role for new users to Administrator.
From there, bad actors can perform further malicious activity, including accessing mailing lists from Constant Contact and Mailchimp. Other bad behavior includes access, modification or deletion of recurring Stripe payment plans and access of private and unpublished donation reports.
In addition, “Multiple actions… can be abused by an attacker to send test emails to an arbitrary address,” researchers said. “This can be automated as a Denial of Service (DoS) for outbound email, either by triggering a host’s outgoing mail relay limits, or by causing the victim site to appear on spam blacklists.”
(No) Developer Response
Making matters worse, the plugin itself appears to have been abandoned.
On Jan. 16 researchers at Wordfence attempted to contact Total Donations’ Vancouver-based development team, Calmar Webmedia – but they did not receive a response or acknowledgement.
The plugin was purchased by site owners from Envato’s CodeCanyon, which now lists it as unavailable for purchase, but displays a “Coming Soon” page, featuring a mockup image of a new website.
Researchers said the upload path of this image implies the site has been in this dormant state since May 2018.
“These security flaws are considered zero-day vulnerabilities due to their active exploitation and a lack of an available patch,” researchers said. “Unfortunately, the process of making this contact revealed that a solution may not ever be coming.”
The plugin reached just over 2,500 sales before it was disabled from the CodeCanyon marketplace, Veenstra told Threatpost.
“However, because it’s been made available on various nulled plugin sites and is apparently installed on other sites developed by Calmar Webmedia, it’s hard to say how many more sites acquired it from an uncounted source,” he said.
Calmar Webmedia has not yet responded to a request for comment from Threatpost.
WordPress Flaws
WordPress continues to fall victim to flaws – specifically trickling down from the plugins.
In fact, according to a January Imperva report, almost all (98 percent) of WordPress vulnerabilities are related to plugins that extend the functionality and features of a website or a blog.
“Anyone can create a plugin and publish it — WordPress is open source, easy to manage, and there is no enforcement or any proper process that mandates minimum security standards (e.g. code analysis),” researchers at Imperva said in their report. “Hence, WordPress plugins are prone to vulnerabilities.”
These have led to several malicious attacks – In December, it was discovered that WordPress sites are being targeted in a series of attacks tied to a 20,000 bot-strong army of infected WordPress websites. Also in December, WordPress 5.0 users were urged to update their CMS software to fix a number of serious bugs – less than a week after the version was released.