The Issue At Hand
Nature of Vulnerability
These vulnerabilities, spanning all known versions of the plugin up to 2.0.5, are presently being exploited by ill-intentioned actors to gain administrative access to WordPress sites affected.
Recommendation for Website Owners
Owners with Total Donations plugin installed should immediately delete the plugin, not just deactivate it, to safeguard their digital presence.
Understanding the Current Status
Is the Plugin Abandoned?
Yes, and that’s a concern. The glaring vulnerabilities are categorised as zero-day, owing to their active exploitation and the absence of a patch. On attempting to contact Calmar Webmedia, the development team behind Total Donations, the revelation was disheartening. The likely discontinuation of the plugin, coupled with the dormant status of its homepage since May 2018, has raised alarms.
Former Distribution and Reviews
Previously, the Total Donations plugin was accessible through Envato’s CodeCanyon marketplace. Though no longer available for sale, the plugin’s review page remains live, and it’s inundated with complaints about non-existent product support, some dating back three years. Such reviews, especially in the context of urgent security threats, indicate a potentially compromised product.
Developer’s Unresponsiveness
Calmar Webmedia, a Vancouver-based firm linked with Total Donations, seems to have deserted the project. Their non-responsive support page and non-functional ‘Request A Quote’ page further underline the need for immediate action.
Why Simply Deactivating Isn’t Enough
Merely deactivating the plugin doesn’t guarantee security due to an embedded AJAX endpoint within Total Donations.
Given the situation, complete security can only be ensured by eradicating the Total Donations plugin from your site. The threat persists even if the plugin is merely deactivated.
Take Charge of Your Digital Security
Ensure your WordPress site remains impervious to threats. Regularly update your plugins, and more importantly, be wary of those abandoned by developers.
Find out more about Managed Services Australia and our suite of security solutions here.
Interested in fortifying your tech infrastructure? Dive deep into our Technology Centre and initiate your cybersecurity journey with a strategic purchase today!
Our team at Managed Services Australia is ready to help. Give us a call today at 1300 024 748 to ensure your business remains impervious to cyber-attacks.