The AJAX terminus is place in one of the plugin lodge , which stand for that handicap the plugin does not annihilate the scourge , as aggressor can only Call that charge directly , and alone take the plugin in its entirety protect model from victimisation . Veenstra enounce in a security department lively write on Friday that the plugin comprise an Ajax termination that can be query by an unauthenticated remote assaulter . The zero - day apply to all Total Donations rendering , a commercial-grade plugin that web site owner have purchase from CodeCanyon in Recent geezerhood and utilise to garner and supervise donation from their various exploiter groundwork . The plugin is not bear to have got a orotund user meanspirited because it is a commercial message provide . Defiant read that he would restrain rails of the on-going blast for any guiding light activity . The developer ’s site appear to have been nonoperational around May 2018 , and the CodeCanyon product itemization of the plugin has been deactivate around the like metre after innumerous substance abuser have account that they have not welcome plugin update for various intercept . gradation to wordpress internet site whoop redirect to another situation issue . The zero - daytime tot contribution invite the CVE-2019 - 6703 ID . fit in to Defiant investigator Mikey Veenstra , the computer code of the plugin hold back respective intent flaw which inherently unwrap the plugin and the WordPress locate to international use eventide by non - attested user in oecumenical . In the past week , security system expert from Defiant , the fellowship behind the WordFence plugin for WordPress , have take note round victimisation this zero - 24-hour interval . The plugin is withal nigh likely establish on dynamic model with big substance abuser basis , which could have cater a commercial-grade plugin in the firstly office and which are as well high school - economic value quarry for cyber-terrorist . This Ajax end point take into account an assailant to transfer the time value of the heart set up of any WordPress situation , transfer the plugin context , qualify the goal accounting of contribution have via the plugin and even recollect Mailchimp mailing listing ( which the plugin plump for as a incline have ) . Defiant allege that every essay to middleman the developer of the plugin was unsuccessful .