CVE-2019-6703 Scanner

The Total Donations Plugin for WordPress is widely used by developers and website administrators to facilitate donations on WordPress websites. Created by Calmar Webmedia, it helps users manage fundraising efforts seamlessly on their platforms. This plugin can be integrated into any WordPress site to leverage its robust features for tracking donations, managing donors, and generating reports. Utilized by various organizations worldwide, it ensures a user-friendly interface for managing donation processes effectively. However, like any software, it requires regular updates to fix vulnerabilities and enhance its security features. It's crucial for users to be aware of and address potential vulnerabilities to maintain site integrity.

The Arbitrary Options Update vulnerability within the Total Donations Plugin for WordPress allows unauthenticated attackers to update arbitrary WordPress option values. By exploiting this vulnerability, attackers can potentially take over a WordPress site by modifying sensitive configurations. The vulnerability lies in an incorrect access control mechanism within the plugin, specifically in the migla_ajax_functions.php file. Attackers can send unauthorized requests, which can affect the site's critical settings. This vulnerability is particularly severe due to its potential impact if exploited, leading to unauthorized access and control over important site functionalities.

Technically, the vulnerability is found in the migla_ajax_functions.php file, which lacks the necessary access control measures. Attackers can exploit it by sending crafted requests to wp-admin/admin-ajax.php, calling the miglaA_update_me action. This action allows attackers to change arbitrary option values on an infected site. Specifically, they can enable new user registration and assign the default role of new users to an administrator. By executing this exploitation, attackers gain administrative privileges, significantly compromising the site's security and functionality. Additional permissions can lead to further exploits and disruptions.

If exploited by malicious individuals, this vulnerability could allow unauthorized attackers to gain control over a WordPress site. Attackers can modify crucial site options, such as enabling new user registrations and setting administrative roles for newcomers. Consequently, attackers could take over the site, leading to unauthorized access, data manipulation, and potential data breaches. The exploit undermines the integrity and confidentiality of the site, potentially leading to loss of user trust and reputation damage. It's crucial for site administrators to apply necessary patches or updates to prevent such adverse outcomes.

REFERENCES

• https://wpscan.com/vulnerability/6e6342b0-82ca-4f5f-8b59-92ec3bdf1d02/
• https://nvd.nist.gov/vuln/detail/CVE-2019-6703