WordPress site owners using the "Total Donations" plugin are advised to delete the plugin from their servers to prevent hackers from exploiting an unpatched vulnerability in its code and take over affected sites.
Attacks using this zero-day have been observed over the past week by security experts from Defiant, the company behind the Wordfence firewall plugin for WordPress.
The zero-day affects all versions of Total Donations, a commercial plugin that site owners have bought from
CodeCanyon over the past years, and have used to gather
and manage donations from their respective userbases.
700,000 WordPress Sites Vulnerable to Takeover, No Fix Available
Over 6,000 WordPress hacked to install plugins pushing infostealers
Thousands of WordPress sites hacked through tagDiv plugin vulnerability