Two significant security flaws in the CleanTalk Spam Protection, Anti-Spam, and Firewall plugin for WordPress have been discovered, potentially allowing attackers to install and activate malicious plugins on vulnerable sites. These vulnerabilities, tracked as CVE-2024-10542 and CVE-2024-10781, both carry a high CVSS score of 9.8 out of 10, indicating a severe risk to WordPress sites running outdated versions of the plugin. The issues were patched in versions 6.44 and 6.45, released in December 2024.
CleanTalk, an anti-spam solution used by over 200,000 WordPress websites, is designed to block spam-related activities like comments, registrations, and surveys. However, the vulnerabilities found in the plugin could allow an attacker to bypass authorization and install malicious plugins without authentication. If the installed plugin contains vulnerabilities, this could lead to remote code execution on the affected site.
CVE-2024-10781 is linked to a missing empty value check for the ‘api_key’ parameter in the ‘perform’ function, allowing unauthorized plugin installations. Meanwhile, CVE-2024-10542 exploits a reverse DNS spoofing issue in the checkWithoutToken() function, also bypassing authorization.
By exploiting these flaws, attackers could potentially install, activate, deactivate, or even uninstall plugins on compromised sites, opening the door to further malicious actions, including server-side exploits and unauthorized access to sensitive data.
As a result of these vulnerabilities, security experts recommend that all users of the CleanTalk plugin promptly update to versions 6.44 or higher to protect their websites. Failing to do so could expose sites to additional risks, especially as cybercriminals are known to exploit compromised WordPress sites to inject malware, steal login credentials, and even redirect users to malicious websites.
In light of these security issues, it is crucial for site administrators to stay vigilant and implement the latest security patches. Regular updates, alongside proactive monitoring of site activities, will help safeguard against emerging threats.
