Vulnerability Details : CVE-2019-6703
Potential exploit
Incorrect access control in migla_ajax_functions.php in the Calmar Webmedia Total Donations plugin through 2.0.5 for WordPress allows unauthenticated attackers to update arbitrary WordPress option values, leading to site takeover. These attackers can send requests to wp-admin/admin-ajax.php to call the miglaA_update_me action to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator.
Products affected by CVE-2019-6703
- cpe:2.3:a:calmar-webmedia:total_donations:*:*:*:*:*:wordpress:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-6703
1.02%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 84 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-6703
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
References for CVE-2019-6703
-
https://www.wordfence.com/blog/2019/01/wordpress-sites-compromised-via-zero-day-vulnerabilities-in-total-donations-plugin/
WordPress Sites Compromised via Zero-Day Vulnerabilities in Total Donations PluginExploit;Third Party Advisory
-
https://wpvulndb.com/vulnerabilities/9208
Total Donations - Update Arbitrary WordPress Option ValuesThird Party Advisory
Jump to