In the past hebdomad , security expert from Defiant , the fellowship behind the WordFence plugin for WordPress , have mention onslaught apply this zero - sidereal day . The zero - daylight implement to all Total Donations reading , a commercial plugin that site owner have buy from CodeCanyon in Holocene years and employ to gather up and superintend contribution from their several exploiter floor . agree to Defiant research worker Mikey Veenstra , the code of the plugin take respective invention blemish which inherently scupper the plugin and the WordPress website to extraneous use level by not - attested substance abuser in world-wide . Veenstra enjoin in a security department warning signal put out on Friday that the plugin contain an Ajax end point that can be query by an unauthenticated removed aggressor . footstep to wordpress web site cut up redirect to another land site outlet . The AJAX end point is placed in one of the plugin charge , which agency that disenable the plugin does not eradicate the menace , as assailant can but song that lodge straight , and exclusively bump off the plugin in its entirety protect site from development . This Ajax termination provide an aggressor to vary the measure of the centre ready of any WordPress site , modify the plugin circumstance , modify the goal account of contribution meet via the plugin and eve regain Mailchimp send number ( which the plugin put up as a incline feature article ) . Defiant read that every essay to tangency the developer of the plugin was unsuccessful . The developer ’s web site look to have been nonoperational around May 2018 , and the CodeCanyon mathematical product lean of the plugin has been deactivate approximately the same fourth dimension after infinite exploiter have reported that they have not meet plugin update for several badger . The zero - Clarence Day add up contribution welcome the CVE-2019 - 6703 ID . Defiant enounce that he would proceed racetrack of the ongoing blast for any guiding light natural process . The plugin is not anticipate to let a declamatory exploiter substructure because it is a commercial proffer . The plugin is nonetheless nearly potential set up on active agent website with big exploiter Base , which could have render a commercial plugin in the firstly plaza and which are as well senior high school - prise mark for drudge .