WordPress sites under attack via zero-day in abandoned plugin

[silversurfer]

WordPress site owners using the "Total Donations" plugin are advised to delete the plugin from their servers to prevent hackers from exploiting an unpatched vulnerability in its code and take over affected sites.

Attacks using this zero-day have been observed over the past week by security experts from Defiant, the company behind the Wordfence firewall plugin for WordPress.

The zero-day affects all versions of Total Donations, a commercial plugin that site owners have bought from CodeCanyon over the past years, and have used to gather and manage donations from their respective userbases.

According to Defiant researcher Mikey Veenstra, the plugin's code contains several design flaws that inherently expose the plugin and the WordPress site, as a whole, to external manipulation, even from unauthenticated users.

In a security alert published on Friday, Veenstra said the plugin contains an AJAX endpoint that can be queried by any remote unauthenticated attacker.

Source: https://www.zdnet.com/article/wordpress-...ed-plugin/