Managed Services Australia Logo - Different Size

Total Donations Security Vulnerability.


October 4, 2019

The digital ecosystem continually faces threats that, if not addressed promptly, can compromise website integrity and user data. Recently, the Wordfence Threat Intelligence team has shed light on multiple vulnerabilities within the commercial ‘Total Donations’ plugin for WordPress.

The Issue At Hand

Nature of Vulnerability

These vulnerabilities, spanning all known versions of the plugin up to 2.0.5, are presently being exploited by ill-intentioned actors to gain administrative access to WordPress sites affected.

Recommendation for Website Owners

Owners with Total Donations plugin installed should immediately delete the plugin, not just deactivate it, to safeguard their digital presence.

The Backbone of Your Business

Understanding the Current Status

Is the Plugin Abandoned?

Yes, and that’s a concern. The glaring vulnerabilities are categorised as zero-day, owing to their active exploitation and the absence of a patch. On attempting to contact Calmar Webmedia, the development team behind Total Donations, the revelation was disheartening. The likely discontinuation of the plugin, coupled with the dormant status of its homepage since May 2018, has raised alarms.

Former Distribution and Reviews

Previously, the Total Donations plugin was accessible through Envato’s CodeCanyon marketplace. Though no longer available for sale, the plugin’s review page remains live, and it’s inundated with complaints about non-existent product support, some dating back three years. Such reviews, especially in the context of urgent security threats, indicate a potentially compromised product.

Developer’s Unresponsiveness

Calmar Webmedia, a Vancouver-based firm linked with Total Donations, seems to have deserted the project. Their non-responsive support page and non-functional ‘Request A Quote’ page further underline the need for immediate action.

Why Simply Deactivating Isn’t Enough

Merely deactivating the plugin doesn’t guarantee security due to an embedded AJAX endpoint within Total Donations.

Given the situation, complete security can only be ensured by eradicating the Total Donations plugin from your site. The threat persists even if the plugin is merely deactivated.

Take Charge of Your Digital Security

Ensure your WordPress site remains impervious to threats. Regularly update your plugins, and more importantly, be wary of those abandoned by developers.

Find out more about Managed Services Australia and our suite of security solutions here.

Interested in fortifying your tech infrastructure? Dive deep into our Technology Centre and initiate your cybersecurity journey with a strategic purchase today!

Our team at Managed Services Australia is ready to help. Give us a call today at 1300 024 748 to ensure your business remains impervious to cyber-attacks.

Book a consultation with Managed Services Australia.

Start your journey towards seamless IT solutions with us today – unlock your business’s true potential!