Two critical security flaws affecting spam protection, the anti-spam plugin, and the WordPress firewall could allow unauthenticated attackers to install and enable malicious plugins on sensitive sites and potentially achieve remote code execution.
Vulnerabilities tracked as CVE-2024-10542 and CVE-2024-10781have a CVSS score of 9.8 out of a maximum of 10.0. These were addressed in versions 6.44 and 6.45 released this month.
Installed on over 200,000 WordPress sites, CleanTalk Spam Protection, Anti-Spam and FireWall Plugin is advertised as an “all-in-one anti-spam plugin” that blocks spam comments, signups, surveys, and more.
According to Wordfence, both vulnerabilities relate to an authorization bypass issue that could allow an attacker to install and activate arbitrary plugins. This can then open the way for remote code execution if the activated plugin is itself vulnerable.
The plugin is “vulnerable to unauthorized arbitrary plugin installation due to the lack of an empty check for the ‘api_key’ value in the ‘execute’ function in all versions up to and including 6.44,” security researcher István Martan said. saidciting CVE-2024-10781.
On the other hand, CVE-2024-10542 results from bypassing authorization via reverse DNS spoofing in the checkWithoutToken() function.
Regardless of the bypass method, successful exploitation of these two flaws could allow an attacker to install, activate, deactivate, or even uninstall plug-ins.
Users of the plugin are advised to ensure that their sites are updated to the latest version with patches to protect against potential threats.
Development is happening, as Sukuri warned multiple companies which use compromised WordPress sites to inject malicious code responsible for redirecting site visitors to other sites through false advertising, skimming login credentialsas well as remove malware which captures admin passwords redirects to VexTrio Viper Scam Sitesand execute arbitrary PHP code on the server.
