#VU17235 Privilege escalation in Total Donations - CVE-2019-6703
Published: January 28, 2019 / Updated: January 28, 2019
Vulnerability identifier: #VU17235
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber
CVE-ID: CVE-2019-6703
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vulnerable software:
Total Donations
Total Donations
Software vendor:
CodeCanyon
CodeCanyon
Description
The vulnerability allows a remote attacker to gain elevated privileges.
The weakness exists due to improper access control in migla_ajax_functions.php in the Calmar Webmedia Total Donations plugin. A remote attacker can send requests to wp-admin/admin-ajax.php, call the miglaA_update_me action to change arbitrary options and gain administrative access to affected WordPress sites.
Successful exploitation of the vulnerability may result in site takeover.
The weakness exists due to improper access control in migla_ajax_functions.php in the Calmar Webmedia Total Donations plugin. A remote attacker can send requests to wp-admin/admin-ajax.php, call the miglaA_update_me action to change arbitrary options and gain administrative access to affected WordPress sites.
Successful exploitation of the vulnerability may result in site takeover.
Remediation
Cybersecurity Help is currently unaware f any official solution to address the vulnerability.