A critical vulnerability has been discovered in the Anti-Spam by CleanTalk WordPress plugin, which is installed on over 200,000 active websites. The vulnerability, tracked as CVE-2024-10542 and CVE-2024-10781, allows unauthenticated attackers to install and activate arbitrary plugins on affected sites, potentially enabling remote code execution. These vulnerabilities, marked with a CVSS score of 9.8, were identified by Wordfence researchers and have been deemed critical for site security. The flaws pose a significant threat to websites relying on the plugin, as attackers can gain full control over compromised systems.
The first vulnerability, CVE-2024-10542, involves an authorization bypass via reverse DNS spoofing. This flaw stems from the plugin’s reliance on IP address resolution and domain name checking, which attackers can exploit by spoofing the IP address using certain headers. By doing so, an attacker can bypass security checks and gain unauthorized access to the plugin’s functionality, including installing, activating, or uninstalling other plugins. The second vulnerability, CVE-2024-10781, arises from a lack of validation for empty API key values, allowing attackers to authorize themselves using a token that matches an empty hash value.
Both vulnerabilities were identified in versions of the plugin released up until version 6.44. In response, CleanTalk released a partial patch for version 6.44 on November 1, 2024, which addressed the first flaw. However, the second vulnerability was discovered shortly after, prompting the release of a full patch in version 6.45 on November 14, 2024. Website administrators are strongly urged to update their Anti-Spam by CleanTalk plugin to version 6.45 immediately to ensure their sites are protected from potential exploitation.
In addition to updating the plugin, it is essential for website administrators to properly configure the plugin’s API key to prevent unauthorized access. Implementing further security measures, such as using a Web Application Firewall (WAF), can also help mitigate the risk of attacks targeting these vulnerabilities. This security incident underscores the importance of timely updates and responsible vulnerability disclosure within the WordPress ecosystem, as attackers continue to exploit known flaws to compromise websites and data.
