Two critical vulnerabilities in the widely used WordPress plugin, Spam protection, Anti-Spam, and FireWall by CleanTalk, have been discovered, potentially exposing over 200,000 websites to remote attacks. These flaws could allow unauthenticated attackers to install and activate malicious plugins, potentially leading to remote code execution (RCE) and other severe consequences.
Overview of the Vulnerabilities
The vulnerabilities, tracked as CVE-2024-10542 and CVE-2024-10781, both carry a near-maximum CVSS severity score of 9.8 out of 10. This highlights their critical nature and the urgent need for remediation. CleanTalk addressed these issues in plugin versions 6.44 and 6.45, which were released this month. Website administrators using older versions are strongly urged to update immediately.
This plugin, advertised as a “universal anti-spam plugin,” is designed to block spam comments, registrations, and survey entries while enhancing site security with its integrated firewall capabilities. However, the discovery of these flaws has turned a tool meant for protection into a potential attack vector.
Detailed Analysis of the Vulnerabilities
1. CVE-2024-10781 – Authorization Bypass via API Key Check
Discovered by security researcher István Márton, this vulnerability arises from a missing empty value check on the api_key parameter in the plugin’s perform function. This oversight allows attackers to bypass authorization and exploit the plugin for arbitrary plugin installation, activation, or deactivation.
Once a malicious plugin is installed, an attacker could execute harmful operations, including running arbitrary PHP code or further exploiting vulnerabilities in the malicious plugin itself to achieve RCE.
2. CVE-2024-10542 – Authorization Bypass via Reverse DNS Spoofing
This vulnerability stems from a flaw in the checkWithoutToken() function, which can be exploited through reverse DNS spoofing. Attackers can bypass critical authorization checks, enabling them to manipulate the plugin’s settings and behavior without proper authentication.
Both vulnerabilities, when exploited, provide attackers with administrative-level control over the plugin. This includes the ability to install, activate, deactivate, and uninstall plugins, effectively giving cybercriminals a backdoor to compromise WordPress websites.
Potential Impacts on WordPress Websites
The implications of these vulnerabilities extend beyond mere inconvenience:
- Remote Code Execution (RCE): If an attacker activates a plugin with its own vulnerabilities, they can gain access to execute arbitrary code on the server, compromising the site’s security and integrity.
- Site Defacement: Attackers may manipulate the site’s content or layout, damaging the website’s reputation and trustworthiness.
- Data Theft: Malicious plugins can be used to skim login credentials, harvest admin passwords, or steal sensitive user data.
- Redirects to Malicious Sites: Visitors could be redirected to phishing or scam sites, potentially leading to further harm to users and loss of traffic for the compromised website.
Actionable Recommendations
Update Immediately:
All users of the CleanTalk Spam protection, Anti-Spam, and FireWall plugin should upgrade to the latest patched version (6.45 or higher). Delaying updates significantly increases the risk of exploitation.Monitor Site Logs:
Regularly review your website’s logs for unusual activity, such as unauthorized plugin installations or settings changes. Early detection can mitigate potential damage.Implement a Web Application Firewall (WAF):
Deploy a robust WAF to block unauthorized requests and suspicious traffic. This can provide an additional layer of protection against such vulnerabilities.Strengthen Server Security:
Ensure your WordPress site and its server are configured securely. Use strong passwords, disable unnecessary services, and restrict file permissions to reduce attack surfaces.Backup Regularly:
Maintain up-to-date backups of your site’s data and configurations. This ensures that you can quickly restore your website in the event of a compromise.
Broader WordPress Security Concerns
This incident is part of a larger trend where WordPress plugins become an attractive target for cybercriminals. Recently, Sucuri identified multiple attack campaigns exploiting compromised WordPress sites to achieve the following malicious goals:
- Injecting Malicious Code: Redirecting visitors to fraudulent websites or ads.
- Credential Theft: Skimming login credentials from users and administrators.
- Malware Distribution: Dropping malicious software designed to capture admin passwords or execute PHP code.
One particularly concerning campaign involves redirecting victims to scam sites like VexTrio Viper, which execute phishing schemes and distribute malware. The CleanTalk vulnerabilities could serve as another entry point for such malicious campaigns.
Conclusion
The discovery of critical flaws in the CleanTalk plugin underlines the importance of vigilance in WordPress site management. Plugins, while enhancing functionality and user experience, can inadvertently introduce risks if not properly secured or updated.
Website administrators must act swiftly to address these vulnerabilities by updating to the latest versions and implementing robust security measures. By staying proactive, site owners can protect their websites, user data, and reputations from the ever-evolving landscape of cyber threats.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Russian RomCom Exploits Zero-Day Flaws in Firefox and Windows