Two severe vulnerabilities in the Spam Protection, Anti-Spam, and Firewall plugin for WordPress have been discovered, potentially enabling unauthenticated attackers to install malicious plugins on targeted websites and execute remote code. This critical exposure impacts over 200,000 WordPress sites globally.
The flaws, identified as CVE-2024-10542 and CVE-2024-10781, are rated with an alarming CVSS score of 9.8 out of 10. Patches for these vulnerabilities were released in plugin versions 6.44 and 6.45 earlier this month, urging immediate action from site administrators.
CleanTalk’s plugin, marketed as a “universal anti-spam solution,” is widely utilized to block spam content such as comments, user registrations, and survey entries. However, these recent flaws underscore significant risks that could jeopardize its user base.
Details of the Vulnerabilities
According to Wordfence, both vulnerabilities stem from an authorization bypass, allowing threat actors to install and activate arbitrary plugins. Such actions can serve as a gateway for further exploitation, including remote code execution, especially if the activated plugins themselves contain vulnerabilities.
- CVE-2024-10781
Security researcher István Márton uncovered a flaw in the plugin’sperform
function, which fails to validate emptyapi_key
values. This oversight makes all versions up to 6.44 vulnerable to unauthorized arbitrary plugin installation. - CVE-2024-10542
This issue arises from an authorization bypass facilitated by reverse DNS spoofing in thecheckWithoutToken()
function. The flaw allows attackers to manipulate authorization checks, granting them elevated control over plugin operations.
Exploitation of these vulnerabilities could lead to the installation, activation, deactivation, or even removal of plugins, significantly amplifying the attack surface for compromised sites.
Mitigation Measures
WordPress site administrators are strongly urged to upgrade their installations to the latest patched versions of the plugin. By doing so, they can neutralize the risks posed by these vulnerabilities and ensure robust site defenses.
Broader Implications
This revelation comes amid warnings from Sucuri regarding escalating campaigns that exploit compromised WordPress sites. These attacks often inject malicious scripts aimed at:
- Redirecting visitors to fraudulent websites laden with ads or scams.
- Harvesting sensitive credentials, including admin passwords.
- Injecting malware capable of executing arbitrary PHP code on servers.
One of the more insidious threats involves redirections to VexTrio Viper scam sites, where attackers leverage stolen credentials to escalate their reach.
By exploiting plugins like CleanTalk’s anti-spam tool, adversaries gain an entry point for orchestrating widespread attacks, leaving affected site owners grappling with compromised data and damaged reputations.
Given the critical nature of these vulnerabilities, site owners must act swiftly to secure their platforms. Ensuring that all plugins remain updated and that additional security measures, such as firewalls and malware scanners, are employed can significantly mitigate potential risks. The stakes are high, and proactive measures are imperative to safeguard WordPress sites from exploitation.