Security experts at Wordfence security firms discovered WordPress Sites compromised via Zero-Day vulnerabilities in Total Donations plugin. The plugin was abandoned by its developers for this reason security experts are recommending to delete it. The zero-day flaws affect all known versions of the WordPress plugin up to and including 2.0.5. Attackers can send test emails to an arbitrary address, a malicious action that could be automated to trigger a Denial of Service (DoS) for outbound email, or by causing the victim site to be included on spam blacklists.”]
Source: https://securityaffairs.co/wordpress/80386/hacking/total-donations-zero-day-flaws.html