Critical Vulnerabilities in Anti-Spam Plugin Expose Over 200,000 WordPress Sites to Cyber Attacks

Two critical vulnerabilities in the CleanTalk Anti-Spam plugin for WordPress, used by over 200,000 sites, expose them to remote attacks. The flaws (CVE-2024-10542 and CVE-2024-10781) allow unauthenticated attackers to bypass authorization and install or activate malicious plugins, potentially leading to remote code execution (RCE). The vulnerabilities were patched in versions 6.44 and 6.45, released in November 2024. Users are advised to update immediately to secure their sites from exploitation.

  Vulnerability Alerts   Nov 27, 2024  Add to Reading List
Critical Vulnerabilities in Anti-Spam Plugin Expose Over 200,000 WordPress Sites to Cyber Attacks

Critical Vulnerabilities Found in Anti-Spam Plugin Affecting 200,000+ WordPress Sites

Two high-severity vulnerabilities have been discovered in the Spam protection, Anti-Spam, and FireWall plugin by CleanTalk, a popular WordPress plugin used to block spam comments, registrations, and other forms of web abuse. These vulnerabilities—identified as CVE-2024-10542 and CVE-2024-10781—pose a significant risk to over 200,000 WordPress sites. The flaws have a CVSS score of 9.8 (out of 10), indicating their critical nature.

Vulnerabilities Overview

  1. CVE-2024-10542: Authorization Bypass via Reverse DNS Spoofing

    • Affected Versions: All versions up to 6.43.2.
    • Description: This flaw occurs within the checkWithoutToken() function of the plugin. It allows attackers to bypass authorization checks using DNS spoofing. The vulnerability arises because the plugin performs a DNS resolution check to determine if the request is coming from a trusted domain, but it does so in a way that can be easily spoofed. Attackers can send a request that appears to come from a trusted domain (like cleantalk.org) by manipulating the DNS resolution process. Once the attacker bypasses the check, they gain unauthorized access to install, activate, or deactivate plugins—potentially leading to remote code execution (RCE) if the installed plugin is vulnerable.
    • Impact: The attacker can gain control over the site by installing malicious plugins without authentication, potentially compromising the entire WordPress installation.

  2. CVE-2024-10781: Authorization Bypass Due to Missing Empty Value Check

    • Affected Versions: All versions up to 6.44.
    • Description: This vulnerability arises from a missing check for empty values in the API key. The perform() function within the plugin compares a provided token to a hashed API key to verify requests. However, if the API key is empty, the plugin does not properly handle the situation, allowing an attacker to use an empty token hash and bypass the authorization mechanism. This enables the attacker to perform the same malicious actions—such as installing arbitrary plugins—without authentication.
    • Impact: If the API key is left empty (a common configuration mistake), an attacker can exploit this flaw to install or modify plugins, potentially leading to RCE if a vulnerable plugin is installed.

Security Implications

Both vulnerabilities are particularly dangerous because they allow unauthenticated attackers to execute arbitrary actions on WordPress sites without requiring any kind of login or authentication. The most critical impact is that attackers can install, activate, deactivate, or uninstall plugins at will, which opens the door to remote code execution (RCE) if a vulnerable plugin is activated.

  • Remote Code Execution (RCE): Once a malicious plugin is activated, the attacker could inject harmful code that executes arbitrary commands on the server, compromising the entire WordPress site.

  • Malware Deployment: Attackers can potentially inject malicious code that could redirect visitors to phishing sites, skimming credentials, or even steal administrator passwords.

  • Widespread Impact: Given the plugin's user base of over 200,000 sites, the number of affected websites is large, making it a prime target for cybercriminals.

Patch Information

  • Version 6.44 (released November 1, 2024) partially addressed these flaws by fixing CVE-2024-10542 (Reverse DNS Spoofing vulnerability).

  • Version 6.45 (released November 14, 2024) fixed CVE-2024-10781 (Missing empty value check vulnerability), effectively patching both security flaws.

Recommendations for Users

  1. Immediate Update: It is strongly advised that all site owners using the CleanTalk plugin update to version 6.45 immediately to mitigate the risks posed by these vulnerabilities.

  2. Review API Key Configuration: Ensure that the API key is properly configured in the plugin, as leaving it empty could expose the site to CVE-2024-10781.

  3. Ongoing Monitoring: Monitor your WordPress site for any suspicious activities, particularly plugin installation or activation that seems unusual or unauthorized.

Exploitation Risks

Sites that do not update to the latest version of the plugin are vulnerable to exploitation. The attacks could lead to:

  • Arbitrary plugin installation and activation: Attackers could install plugins that are specifically designed to exploit further vulnerabilities.
  • Remote code execution (RCE): Once the plugin is installed, it may allow attackers to execute arbitrary PHP code, which can compromise the site’s server.
  • Unauthorized access to site data: Attackers could steal sensitive data, including admin credentials, or redirect users to malicious sites.

These critical vulnerabilities in the CleanTalk plugin put over 200,000 WordPress sites at significant risk of compromise. The vulnerabilities allow unauthenticated attackers to install and activate malicious plugins, which could lead to remote code execution and full-site compromise.

WordPress site owners should update to version 6.45 of the plugin without delay to protect their sites from potential exploitation.

Tags