Multiple critical vulnerabilities existed in the WordPress plugin Spam protection, Anti-Spam, FireWall. Exploiting these vulnerabilities could allow remote code execution on target websites, and more. Since the plugin developers have patched the flaws, WordPress users must update their sites with the latest plugin release at the earliest.
Numerous Vulnerabilities Caught In Anti-Spam WordPress Plugin
According to a recent post from Wordfence, numerous critical vulnerabilities in the Spam protection, Anti-Spam, FireWall by CleanTalk WordPress plugin have recently been fixed.
Specifically, the following two vulnerabilities affected the plugin, exposing the respective websites to various threats.
- CVE-2024-10542 (CVSS 9.8): An authorization bypass vulnerability that could allow unauthorized plugin installations from an adversary. Exploiting the flaw could let an attacker gain code execution privilege in the presence of another vulnerable plugin. The adversary could trigger the vulnerability via reverse DNS spoofing on the checkWithoutToken function.
- CVE-2024-10781 (CVSS 8.1): Another authorization bypass existed due to a missing empty value check on the ‘api_key’ value in the ‘perform’ function. Exploiting the flaw could allow an unauthenticated adversary to install arbitrary plugins and achieve remote code execution.
Wordfence shared detailed technical analyses of these vulnerabilities in its post.
Researchers were alerted to the vulnerabilities in separate instances. First, security researcher Michael Mazzolini found vulnerability CVE-2024-10542. Mazzolini then reported the flaw via Wordfence’s bug bounty program and won a $4095 bounty for the report.
Wordfence coordinated with the plugin developers to get the flaw patched. However, while the team promptly addressed this flaw with plugin v.6.44, Wordfence discovered another similar vulnerability, CVE-2024-10781.
Nonetheless, the plugin developers promptly addressed this, releasing the second vulnerability patch with plugin version 6.45.
The plugin Spam protection, Anti-Spam, FireWall by CleanTalk currently boasts over 200,000 active installations, hinting at the sheer number of websites potentially at risk due to the threats. Hence, all WordPress admins using this plugin should update their websites with this or the latest plugin release (version 6.45.2 at the time of writing) to receive all bug fixes.
Let us know your thoughts in the comments.
