WordPress Sites Compromised via Zero-Day Vulnerabilities in Total Donations Plugin

The Wordfence Threat Intelligence team recently identified multiple critical vulnerabilities in the commercial Total Donations plugin for WordPress. These vulnerabilities, present in all known versions of the plugin up to and including 2.0.5, are being exploited by malicious actors to gain administrative access to affected WordPress sites. We have reserved CVE-2019-6703 to track and reference these vulnerabilities collectively.

It is our recommendation that site owners using Total Donations delete–not just deactivate–the vulnerable plugin as soon as possible to secure their sites. The following article details the issues present in Total Donations, as well as the active attacks against the plugin. We’ll also take a look at our disclosure process, and the steps we took in our attempts to contact the plugin’s developers to reach a resolution.

Curious Access Logs

As is the case with many investigations, this discovery was directly aided by an attacker’s mistake.

More at https://www.wordfence.com/blog/2019/01/wordpress-sites-compromised-via-zero-day-vulnerabilities-in-total-donations-plugin/

Contact Form 7 and ReCAPTCHA

Those of you using Contact Form 7 may have noticed an increase in your spam levels around the middle of December. This was due to an update of Contact Form 7 which required an update from ReCAPTCHA version 2 to version 3…. and then still didn’t work right. They finally got a fix out a couple days later and the spam is back to its usual level of dull roar instead of the weekend’s comparatively massive onslaught.

All of the sites on which we manage the Captcha have been updated. If you’re still getting a higher than normal amount of spam through your site, feel free to get in contact and we’ll take a look. It’s possible that your Captcha version is out of date.

It’s a good idea to send yourself an email through your contact form to make sure it works as you expect it to.

Gutenberg

Big changes in the WordPress core around mid-December as they updated from 4.9.8 to 5.0 (and shortly after to 5.0.1 and 5.0.2, and now 5.0.3), which includes the Gutenberg editor.

As of this writing, we have not moved some of you to the 5.x series. Most of you hosted at Sustainable Sources have been upgraded and we added and activated a plugin which will allow you to either use Gutenberg or the page editor you’re familiar with. To switch it off and try Gutenberg just go to Plugins => Classic Editor and click the Deactivate link. To go back to Classic, simply click Activate. Classic Editor will be supported for ~2 years, but you may as well learn Gutenberg now.

To get you started, here are some helpful Gutenberg resources:

Gutenberg Handbook – official WordPress guide with an in-depth look at how the editor works and tutorials on block creation. https://wordpress.org/gutenberg/handbook/

WordPress Gutenberg Guide – an illustrated guide by codeinwp that explains how Gutenberg works and shows you some advanced tricks. https://www.codeinwp.com/blog/wordpress-gutenberg-guide/