Attackers Exploit Zero-Day in WordPress Plugin
Researchers confirmed that malicious actors are able to gain administrative access to affected WordPress sites via the CVE-2019-6703 vulnerabilities in all versions of the plugin, including 2.0.5.
“Total Donations was suspended from the CodeCanyon marketplace in late 2017 following a lack of support from the developers, so it had been disabled for over a year when it showed up on my radar. Because of the severity of the issues present in the plugin and the fact that no patch is likely to come, it is our recommendation that site owners delete Total Donations from their sites entirely," Wordfence's Mikey Veenstra wrote in an email.
"WordPress is typical of many popular platforms where businesses only control a small portion of the code they rely upon,” said Satya Gupta, CTO and co-founder, Virsec. "Ensuring that there is no unpatched or vulnerable code in this stack is nearly impossible. While it’s always a good idea to heed these alerts and disable or patch vulnerable code wherever possible, businesses need application defenses that protect sensitive processes, even if there are underlying flaws."
In this particular case, it doesn’t appear as though a patch is possible, given that the developers can’t be reached, according to Wordfence. “There currently do not appear to be any legitimate means of acquiring the latest version of Total Donations. The plugin’s homepage currently displays a Coming Soon page, featuring a mockup image of a new website. The upload path of this image implies the site has been in this state since May 2018."
A large open developer community presents different pros and cons, and the ability for developers to abandon products is a huge problem with tools like WordPress and others, Gupta said. Developers can create lots of useful plugins to solve specific problems, “but if there isn’t a commitment to long-term support, many of these tools become liabilities. Any time you change a plugin it can cause unintended disruption and problems. Many businesses end up staying with unsupported tools until they actually break to avoid these headaches."
Source: Information Security Magazine