CVE-2019-6703

CRITICAL EXPLOITED NUCLEI

Calmar Webmedia Total Donations <2.0.5 - Privilege Escalation

Title source: llm

Exploitation Summary

CVE-2019-6703 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.

Description

Incorrect access control in migla_ajax_functions.php in the Calmar Webmedia Total Donations plugin through 2.0.5 for WordPress allows unauthenticated attackers to update arbitrary WordPress option values, leading to site takeover. These attackers can send requests to wp-admin/admin-ajax.php to call the miglaA_update_me action to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator.

Nuclei Templates (1)

Total Donations Plugin for WordPress < 2.0.6 - Arbitrary Options Update

CRITICALVERIFIEDby DhiyaneshDK

FOFA: body="/wp-content/plugins/total-donations/"

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_misc

https://www.wordfence.com/blog/2019/01/wordpress-sites-compromised-via-zero-day-vulnerabilities-in-total-donations-plugin/

Third Party Advisory x_refsource_misc

https://wpvulndb.com/vulnerabilities/9208

Scores

CVSS v3 9.8

EPSS 0.2608

EPSS Percentile 97.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2020-08-22

Status published

Products (1)

calmar-webmedia/total_donations < 2.0.5

Published Jan 27, 2019

Tracked Since Feb 18, 2026