Total Donations is an easy-to-use but powerful WordPress plugin for accepting online donations. Donors can quickly contribute to your non-profit, church or political organization using an intuitive donation form while the administrative panels allow you to manage your tasks, progress bars and campaigns with ease.
According to researcher Mikey Veenstra, the plugin’s code contains several design flaws that expose the plugin and WordPress site to an insecure environment as a whole. In a security alert released on Friday, Veenstra said that The plugin contains an Ajax code that any unauthenticated remote attacker can use to manipulate the plugin.
The Ajax code is stored in a file in the plugin, which means that disabling the plugin does not eliminate the threat, because the attacker only needs to call the file directly, so only deleting the entire plugin can protect the site from attacks. This Ajax code allows an attacker to change the value of any of the WordPress site’s core settings, change plugin-related settings, modify the target account for donations received through the plugin, and even retrieve the MailChimp mailing list.
The developer of “Total Donations” has stopped developing the plugin, and all of the company’s plugins in CodeCanyon have now stopped downloading. As a commercial product, the plugin does not have a large user base. But the plugin is most likely to be installed on a WordPress site with a large user base, which is the main target of hackers.