On January 25th, 2019, the popular WordPress security company identified multiple vulnerabilities in the apparently abandoned, but still used, commercial donations plugin Total Donations. These vulnerabilities can be exploited to gain full administrative access to WordPress sites if not disabled and deleted immediately. Given that this exploit gives full administrative access to your WordPress site, affected sites could expect anything from malicious articles being posted, deletion of content or users, redirection to a malicious site, or even server compromise in the wrong environment.
The WordFence announcement may be found on there blog here:
https://www.wordfence.com/blog/2019/01/wordpress-sites-compromised-via-zero-day-vulnerabilities-in-total-donations-plugin/
WordFence has also reserved Common Vulnerability and Exposures ID CVE-2019-6703 here for tracking purposes:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6703
How to Know if Your Sites Are At Risk
What log files to check for exploit attempts
When trying to check if your site has been affected, it is helpful to know where to begin looking. The following list is provided for your convenience and gives the default location of per-site Access Logs on popular control panels. If you don’t see an item for your setup here, reach out to our Support team and we’ll be happy to assist you further with finding your site’s access logs:
Access Logs - Plesk
- Via Plesk Web Interface:
Websites & Domains > example.com > Logs > Apache access - Plesk on Windows file location:
%plesk_dir%admin\logs\W3SVC<IIS site ID>\ex<date>.log - Plesk on RHEL/CentOS file location:
/var/www/vhosts/system/example.com/logs - Plesk on Debian/Ubuntu file location:
/var/www/vhosts/system/example.com/logs
Access Logs - cPanel
- Via cPanel Web Interface:
Metrics > Raw Access > example.com - cPanel file location:
/usr/local/apache/domlogs/example.com
What to look for
WordFence identified the following example exploit attempts; similar strings in your site logs may be indicative of potential exploit attempts against one of your sites.
POST /wp-admin/admin-ajax.php?action=migla_getme
POST /wp-admin/admin-ajax.php?action=migla_getme
POST /wp-admin/admin-ajax.php?action=miglaA_update_me
POST /wp-admin/admin-ajax.php?action=miglaA_update_me
GET /wp-login.php?action=register
WordFence also implied that a more skilled malicious user may make better use of this vulnerability than the one cited, and therefore the logs would potentially only show the following:
POST /wp-admin/admin-ajax.php
POST /wp-admin/admin-ajax.php
POST /wp-admin/admin-ajax.php
POST /wp-admin/admin-ajax.php
GET /wp-login.php?action=register
The common link here would be one more more POSTs to the admin-ajax.php immediately followed by a GET to wp-login.php with an attempt to register from the same IP address.
Note: There are plenty of other reasons why you might see this pattern, but if you've arrived on this page you've either probably noticed something suspicious or you have this plugin installed. In either case, it’s always better to check instead of assume everything is working as intended
How to tell if any of your sites have this plugin
Folder/file names and location paths
The Total Donations plugins default folder path was
- /wp-content/plugins/totaldonations/
with totaldonations being the root folder for plugin files
Example filenames that we were able to identify are:
- migla-donation-paypalstd-ipn.php
- migla-call-stripe.php
Archived copies of the Total Donations plugin documentation also confirm that this plugin did appear in the WordPress list of plugins under Installed Plugins, so you should be able to find it there assuming the plugin was installed in a standard manner.
A Quick Reminder
This is probably a good time to remind you that you should always keep your WordPress core installation, themes, and plugins up-to-date at all times, and routinely check on your themes and plugins to make sure they’re still actively being developed. Just like with the Total Donations plugin, WordPress themes and plugins frequently get abandoned or replaced by new alternatives and as such, webmasters need to be vigilant to sure their sites don’t fall prey to similar issues.
More information on keeping WordPress and it’s plugins updated may be found in the following articles, provided for your convenience:
What to do if you think you've been compromised
The best thing to do if you think you've been compromised, is attempt to restore your site from a point prior to the compromise. Depending on how badly the site has been affected, this may mean restoring one copy at a time, backwards from the current day, until you find one that is intact. Then, immediately remove the Total Donations plugin, and recheck the rest of your site.
If you don’t have a functional backup, you may be able to get assistance from your developer or our Support team if the damage isn't too extensive.
Final Reminder
Just as a final reminder, anytime you find that you’re using an abandoned theme or plugin, it is always recommended to discontinue using it immediately, unless you are tech-savvy enough to take over it’s development yourself. Yes, replacing themes and plugins is a lot of work, with no immediate return on your investment. However, preventing loss of business and expenditure of man-hours to troubleshoot and recover your site or lost revenue in the event of a breach is well worth it!
And always remember: Delete, don't just deactivate!
Deactivating a plugin does not always make it invulnerable to compromise.