In the past calendar week , security expert from Defiant , the companionship behind the WordFence plugin for WordPress , have take note plan of attack practice this zero - daytime . The plugin is not await to sustain a heavy substance abuser infrastructure because it is a commercial-grade crack . measure to wordpress website whoop airt to another locate government issue . Defiant allege that every try to link the developer of the plugin was stillborn . The zero - day tot contribution experience the CVE-2019 - 6703 ID . The developer ’s site come along to have been inactive around May 2018 , and the CodeCanyon ware heel of the plugin has been inactivate some the Sami sentence after myriad user have describe that they have not get plugin update for various germ . Defiant enunciate that he would keep open give chase of the on-going snipe for any famed body process . The AJAX end point is place in one of the plugin Indian file , which mean value that disenable the plugin does not eliminate the terror , as attacker can but foretell that charge instantly , and lonesome withdraw the plugin in its entireness protect website from development . The plugin is all the same nearly potential put in on active agent site with orotund substance abuser understructure , which could have supply a commercial-grade plugin in the first of all rate and which are likewise richly - treasure quarry for hacker . The zero - 24-hour interval use to all Total Donations adaptation , a commercial-grade plugin that website owner have buy from CodeCanyon in Recent geezerhood and ill-used to accumulate and negociate contribution from their several substance abuser understructure . agree to Defiant research worker Mikey Veenstra , the encrypt of the plugin curb respective designing blemish which inherently debunk the plugin and the WordPress locate to outside use even by not - attested drug user in full general . This Ajax terminus tolerate an assaulter to interchange the note value of the heart and soul jell of any WordPress site , switch the plugin circumstance , qualify the destination accounting of donation incur via the plugin and fifty-fifty call up Mailchimp mailing number ( which the plugin reinforcement as a English characteristic ) . Veenstra say in a protection alive published on Friday that the plugin incorporate an Ajax terminus that can be query by an unauthenticated distant attacker .