CVE-2019-6703
📋 TL;DR
This vulnerability allows unauthenticated attackers to modify arbitrary WordPress settings via an insecure AJAX endpoint in the Total Donations plugin. Attackers can change critical configuration options like enabling new user registration with administrator privileges, leading to complete site compromise. All WordPress sites running Total Donations plugin version 2.0.5 or earlier are affected.
💻 Affected Systems
- Calmar Webmedia Total Donations WordPress Plugin
📦 What is this software?
Total Donations by Calmar Webmedia
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover where attackers create administrator accounts, install backdoors, deface the site, or use it for further attacks.
Likely Case
Attackers create administrator accounts to gain persistent access, potentially leading to data theft, malware distribution, or ransomware deployment.
If Mitigated
With proper web application firewalls and monitoring, attacks can be blocked and detected before successful exploitation.
🎯 Exploit Status
Simple HTTP POST requests to wp-admin/admin-ajax.php with specific parameters can exploit this vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.6 or later
Vendor Advisory: https://wordpress.org/plugins/total-donations/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Total Donations plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete the plugin immediately.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
linuxBlock access to the vulnerable miglaA_update_me action via .htaccess or web server configuration
# Add to .htaccess in WordPress root directory
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} action=miglaA_update_me
RewriteRule ^wp-admin/admin-ajax\.php$ - [F,L]
</IfModule>
Web Application Firewall rule
allBlock requests containing the vulnerable action parameter
# Example ModSecurity rule
SecRule ARGS:action "@streq miglaA_update_me" \
"id:1001,phase:2,deny,status:403,msg:'Total Donations exploit attempt'"
# Example WAF rule pattern: action=miglaA_update_me
🧯 If You Can't Patch
- Immediately deactivate and remove the Total Donations plugin from all WordPress installations
- Implement strict network access controls to limit access to wp-admin/admin-ajax.php from untrusted sources
🔍 How to Verify
Check if Vulnerable:
Check WordPress plugin version: 1. Log into WordPress admin. 2. Go to Plugins → Installed Plugins. 3. Look for Total Donations plugin version. If version is 2.0.5 or earlier, you are vulnerable.Check Version:
# Check via WordPress CLI if available
wp plugin list --name=total-donations --field=version
# Or check wp-content/plugins/total-donations/readme.txt for versionVerify Fix Applied:
Verify plugin version is 2.0.6 or later in WordPress admin plugins page, or confirm plugin is completely removed.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with 'action=miglaA_update_me' parameter
- Unusual user registration events, especially with administrator role
- Changes to WordPress options table from unauthenticated IPs
Network Indicators:
- POST requests to admin-ajax.php with miglaA_update_me parameter from external IPs
- Sudden increase in requests to WordPress admin endpoints
SIEM Query:
source="web_server_logs" AND (url_path="/wp-admin/admin-ajax.php" AND query_string="*action=miglaA_update_me*" OR "miglaA_update_me")🔗 References
- https://wpvulndb.com/vulnerabilities/9208
- https://www.wordfence.com/blog/2019/01/wordpress-sites-compromised-via-zero-day-vulnerabilities-in-total-donations-plugin/
- https://wpvulndb.com/vulnerabilities/9208
- https://www.wordfence.com/blog/2019/01/wordpress-sites-compromised-via-zero-day-vulnerabilities-in-total-donations-plugin/
