Incorrect access control in migla_ajax_functions.php in the Calmar Webmedia Total Donations plugin through 2.0.5 for WordPress allows unauthenticated attackers to update arbitrary WordPress option values, leading to site takeover. These attackers can send requests to wp-admin/admin-ajax.php to call the miglaA_update_me action to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator.
PoC代码[已公开]
id: CVE-2019-6703
info:
name: Total Donations Plugin for WordPress < 2.0.6 - Arbitrary Options Update
author: DhiyaneshDK
severity: critical
description: |
Incorrect access control in migla_ajax_functions.php in the Calmar Webmedia Total Donations plugin through 2.0.5 for WordPress allows unauthenticated attackers to update arbitrary WordPress option values, leading to site takeover. These attackers can send requests to wp-admin/admin-ajax.php to call the miglaA_update_me action to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator.
impact: |
Attackers can modify site options, enabling new user registration as Administrator, leading to site takeover.
remediation: Update to the latest version of the plugin where this issue is fixed.
reference:
- https://wpscan.com/vulnerability/6e6342b0-82ca-4f5f-8b59-92ec3bdf1d02/
- https://nvd.nist.gov/vuln/detail/CVE-2019-6703
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2019-6703
epss-score: 0.55163
epss-percentile: 0.97935
cpe: cpe:2.3:a:calmar-webmedia:total_donations:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
vendor: calmar-webmedia
product: total_donations
framework: wordpress
fofa-query: body="/wp-content/plugins/total-donations/"
tags: cve,cve2019,wpscan,wordpress,wp,wp-plugin,total-donations,passive,vkev,vuln
http:
- raw:
- |
GET /wp-content/plugins/total-donations/readme.txt HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'compare_versions(version, "< 2.0.6")'
- 'contains(body, "Total Donations")'
- 'status_code == 200'
condition: and
extractors:
- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"
internal: true
# digest: 4a0a0047304502202828b9d8f5df0f2b2ad0b298b36677bd87146c561e04f488ae150fda7f3a6a4c0221009954e118b71f974f808fd063e1a8763d89aef76109690ccaf4a860e6bed994ec:922c64590222798bb761d5b6d8e72950