Vulnerabilities exist in all known versions of the plugin up to and including 2.0.5, Wordfence researchers said. The development team of the vulnerable Total Donations plugin appears to have abandoned it, and did not respond to inquiries from researchers. The plugin was purchased by site owners from Envato s CodeCanyon, which now lists it as unavailable for purchase, but displays a Coming Soon page, featuring a mockup image of a new website.
Source: https://threatpost.com/wordpress-users-urged-to-delete-zero-day-ridden-plugin/141209/