WordPress sites under attack via zero-day in abandoned plugin

By Catalin Cimpanu

Summary: The “Total Donations” plugin used to accept donations is now know to be compromised and the developers have not issues an update in response to the breach.   As Cimpanu writes, “the plugin’s code contains several design flaws that inherently expose the plugin and the WordPress site, as a whole, to external manipulation, even from unauthenticated users.”

Further more, “deactivating the plugin doesn’t eliminate the threat, as attackers could simply call that file directly, and only removing the plugin in its entirety will safeguard sites from exploitation.

The Jonesen Take: We are strong advocates for keeping plugin use to a minimum.  If your site does not use the functionality that a plugin provides, then it doesn’t need to be on the site.   And when you do need an additional functionality, we only use well vetted and supported plugins.

Are you worried about outdated or abandoned plugins on your site? Contact us today, we are happy to audit your site for vulnerabilities.