Specialists from Defiant
warned about the vulnerability CVE-2019-6703 in the Total Donations plugin. Previously, this commercial donation plugin was developed by CodeCanyon. However, her website has been inactive since May 2018, and the plugin itself has been discontinued, so the developers could not be contacted.
Specialists explain that the bug is due to the fact that Total Donations contains AJAX- an endpoint that can be requested by a remote unauthorized attacker, even if the plugin itself is disabled. Through this endpoint, an attacker can change the settings of the plugin, WordPress itself, redirect received donations to another location, extract the Mailchimp mailing list (Total Donations supports this as a separate feature), and so on. Worse, the researchers emphasize that the bug is already exploited by attackers.
Since all attempts to contact the developers of Total Donations have been unsuccessful, and the problem poses a threat even if the plugin is disabled, Defiant experts strongly recommend that users remove the dangerous plugin as soon as possible.