CVE-2019-6703

CRITICAL EXPLOITED NUCLEI

Calmar Webmedia Total Donations <2.0.5 - Privilege Escalation

Title source: llm

Description

Incorrect access control in migla_ajax_functions.php in the Calmar Webmedia Total Donations plugin through 2.0.5 for WordPress allows unauthenticated attackers to update arbitrary WordPress option values, leading to site takeover. These attackers can send requests to wp-admin/admin-ajax.php to call the miglaA_update_me action to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator.

Nuclei Templates (1)

Total Donations Plugin for WordPress < 2.0.6 - Arbitrary Options Update

CRITICALVERIFIEDby DhiyaneshDK

FOFA: body="/wp-content/plugins/total-donations/"

References (2)

[Third Party Advisory] https://wpvulndb.com/vulnerabilities/9208

[Exploit, Third Party Advisory] https://www.wordfence.com/blog/2019/01/wordpress-sites-compromised-via-zero-day-vulnerabilities-in-total-donations-plugin/

Scores

CVSS v3 9.8

EPSS 0.5469

EPSS Percentile 98.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2020-08-22

Status published

Products (1)

calmar-webmedia/total_donations < 2.0.5

Published Jan 27, 2019

Tracked Since Feb 18, 2026