Lucene search
K

Total Donations Plugin for WordPress < 2.0.6 - Arbitrary Options Update

🗓️ 03 Jul 2026 13:39:16Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 9 Views

Unauthenticated attackers can update options in Total Donations below 2.0.6, risking takeover.

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2019-6703
29 Jan 201916:52
circl
CVE
CVE-2019-6703
27 Jan 201902:00
cve
Cvelist
CVE-2019-6703
27 Jan 201902:00
cvelist
EUVD
EUVD-2019-16261
7 Oct 202500:30
euvd
NVD
CVE-2019-6703
27 Jan 201902:29
nvd
Prion
Improper access control
27 Jan 201902:29
prion
ThreatPost
Wordpress Users Urged to Delete Zero-Day-Ridden Plugin
28 Jan 201914:39
threatpost
VulnCheck KEV
VulnCheck KEV: CVE-2019-6703
22 Aug 202000:00
vulncheck_kev
Tenable Nessus
Total Donations Plugin for WordPress < 2.0.6 Arbitrary Options Update
7 Feb 202300:00
nessus
WPVulnDB
Total Donations - Update Arbitrary WordPress Option Values
25 Jan 201900:00
wpvulndb
Rows per page
id: CVE-2019-6703

info:
  name: Total Donations Plugin for WordPress < 2.0.6 - Arbitrary Options Update
  author: DhiyaneshDK
  severity: critical
  description: |
    Incorrect access control in migla_ajax_functions.php in the Calmar Webmedia Total Donations plugin through 2.0.5 for WordPress allows unauthenticated attackers to update arbitrary WordPress option values, leading to site takeover. These attackers can send requests to wp-admin/admin-ajax.php to call the miglaA_update_me action to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator.
  impact: |
    Attackers can modify site options, enabling new user registration as Administrator, leading to site takeover.
  remediation: Update to the latest version of the plugin where this issue is fixed.
  reference:
    - https://wpscan.com/vulnerability/6e6342b0-82ca-4f5f-8b59-92ec3bdf1d02/
    - https://nvd.nist.gov/vuln/detail/CVE-2019-6703
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2019-6703
    epss-score: 0.26076
    epss-percentile: 0.97734
    cpe: cpe:2.3:a:calmar-webmedia:total_donations:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: calmar-webmedia
    product: total_donations
    framework: wordpress
    fofa-query: body="/wp-content/plugins/total-donations/"
  tags: cve,cve2019,wpscan,wordpress,wp,wp-plugin,total-donations,passive,vkev,vuln

http:
  - raw:
      - |
        GET /wp-content/plugins/total-donations/readme.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'compare_versions(version, "< 2.0.6")'
          - 'contains(body, "Total Donations")'
          - 'status_code == 200'
        condition: and

    extractors:
      - type: regex
        name: version
        part: body
        group: 1
        regex:
          - "(?mi)Stable tag: ([0-9.]+)"
        internal: true
# digest: 4a0a00473045022013988c8cea92bb07ae65277a6f70394c377a73c5d755d7941b3e1f2d2b1518a5022100902cad0541a6a80bee14859c30340631935941d39fce118fc0dc01575b207a73:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.1High risk
Vulners AI Score7.1
CVSS 27.5
CVSS 39.8
EPSS0.26076
9