Back to KEVs

CVE-2019-6703

Incorrect access control in migla_ajax_functions.php in the Calmar Webmedia Total Donations plugin through 2.0.5 for WordPress allows...

Basic Information

CVE State
PUBLISHED
Reserved Date
January 23, 2019
Published Date
January 27, 2019
Last Updated
August 04, 2024
Vendor
Calmar Webmedia
Product
Total Donations plugin for WordPress
Description
Incorrect access control in migla_ajax_functions.php in the Calmar Webmedia Total Donations plugin through 2.0.5 for WordPress allows unauthenticated attackers to update arbitrary WordPress option values, leading to site takeover. These attackers can send requests to wp-admin/admin-ajax.php to call the miglaA_update_me action to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator.
Tags
wordpress php

CVSS Scores

CVSS v3.0

9.8 - CRITICAL

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Score

Score
5.65% (Percentile: 89.84%) as of 2025-05-12

Exploit Status

Exploited in the Wild
Yes (2019-01-25 12:23:06 UTC) Source

References

https://www.wordfence.com/blog/2019/01/wordpress-sites-compromised-via-zero-day-vulnerabilities-in-total-donations-plugin/ https://wpvulndb.com/vulnerabilities/9208

Known Exploited Vulnerability Information

Source Added Date
Wordfence 2019-01-25 12:23:06 UTC

Timeline

  • CVE ID Reserved

  • Added to KEVIntel

  • CVE Published to Public