wordpress sites under attack via zero-day in abandoned plugin

Total Donations plugin are advised to delete the plugin from their servers to prevent hackers from exploiting in its code and take over affected sites..   Attacks using this zero-day have been observed over the week by security experts from Defiant, the company behind Wordfence firewall plugin for WordPress..   The zero-day affects all versions of Total Donations, commercial plugin that site owners have bought from CodeCanyon over the past years, have used to gather and manage donations from their respective userbases..   According to Defiant Mikey Veenstra, the plugin's code contains several design flaws that expose the plugin and WordPress site, as whole, to manipulation, even from unauthenticated users..   By any remote unauthenticated attacker, In security alert published on Friday, the plugin contains AJAX endpoint that can be queried..   AJAX endpoint resides in one of the plugin's files, meaning that deactivating the plugin does not eliminate the threat, only removing the in its entirety will safeguard sites from exploitation..   The developer's site appears to have gone inactive around May 2018, and CodeCanyon product listing has been deactivated about the time after countless of users reported that they had not received plugin updates for several bugs they reported..   Total Donations zero-day has received CVE-2019-6703 identifier.   the plugin is most installed on active sites with large userbases that could have afforded commercial plugin in the first place, and.   Brave browser can now show ads, and soon you'll get 70% of money CNET..   Read more