cbcvebase.
CVE-2019-6703
published 2019-01-27

CVE-2019-6703: Incorrect access control in migla_ajax_functions.php in the Calmar Webmedia Total Donations plugin through 2.0.5 for WordPress allows unauthenticated attackers…

PriorityP184critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
26.08%
97.7th percentile
Incorrect access control in migla_ajax_functions.php in the Calmar Webmedia Total Donations plugin through 2.0.5 for WordPress allows unauthenticated attackers to update arbitrary WordPress option values, leading to site takeover. These attackers can send requests to wp-admin/admin-ajax.php to call the miglaA_update_me action to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator.

Affected

1 ranges
VendorProductVersion rangeFixed in
calmar-webmediatotal_donations<= 2.0.5

Detection & IOCsextracted from sources · hover to see the quote

path/wp-admin/admin-ajax.php
path/wp-content/plugins/total-donations/readme.txt
filenamemigla_ajax_functions.php
commandmiglaA_update_me
  • Detect unauthenticated POST requests to /wp-admin/admin-ajax.php containing the 'miglaA_update_me' action parameter, which indicates exploitation of the Total Donations plugin arbitrary options update vulnerability.
  • Fingerprint vulnerable installations by probing /wp-content/plugins/total-donations/readme.txt and extracting the 'Stable tag' version; versions below 2.0.6 are vulnerable.
  • Use FOFA/Shodan body-search query body="/wp-content/plugins/total-donations/" to identify internet-exposed WordPress sites running the vulnerable Total Donations plugin.
  • Monitor WordPress option changes for 'users_can_register' being set to enabled and 'default_role' being set to 'administrator', which are the post-exploitation indicators of this attack.
  • ·The vulnerability affects Total Donations plugin versions through 2.0.5 only; version 2.0.6 and above are not affected. Version-check logic should use a strict less-than comparison against 2.0.6.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.