WordPress Plugin Vulnerability Puts 200,000 Sites at Risk

On October 30, 2024, a critical vulnerability was discovered in the Anti-Spam by CleanTalk WordPress plugin, potentially affecting more than 200,000 active installations. This vulnerability allows attackers to install, activate, or delete plugins without authorization, which can lead to remote code execution (RCE).

The vulnerabilities have been identified as CVE-2024-10542 and CVE-2024-10781, both rated with a CVSS score of 9.8, indicating a critical level of risk.

Details of the Discovered Vulnerabilities

1. Authorization Bypass: Reverse DNS Spoofing

  • Affected versions: 6.43.2 and earlier
  • CVE ID: CVE-2024-10542
  • CVSS Score: 9.8 (Critical)
  • Patched in version: 6.44

2. Authorization Bypass: Missing Empty Value Check

  • Affected versions: 6.44 and earlier
  • CVE ID: CVE-2024-10781
  • CVSS Score: 9.8 (Critical)
  • Patched in version: 6.45

Exploit via Reverse DNS Spoofing

This vulnerability arises due to improper functioning of the checkWithoutToken() function, which relies on IP address resolution and domain name verification. An attacker can exploit this by:

  • Spoofing the IP address using the X-Client-Ip and X-Forwarded-By headers.
  • Using a domain containing “cleantalk.org” (e.g., cleantalk.org.evilsite.com).

This allows the attacker to perform unauthorized actions, such as installing, activating, or uninstalling plugins.

Missing Empty Value Check

This vulnerability occurs when the API key is not properly configured or is left empty. In such cases, an attacker can authenticate themselves using a token matching the empty hash value.

Timeline

  • October 30, 2024: The first vulnerability was identified and confirmed.
  • November 1, 2024: A partial patch (version 6.44) was released.
  • November 4, 2024: The second vulnerability was discovered.
  • November 14, 2024: A full patch (version 6.45) was released.

Recommendations

To secure your site, the following actions are strongly recommended:

  1. Immediately update the Anti-Spam by CleanTalk plugin to version 6.45.
  2. Check and ensure the plugin’s API key settings are properly configured.
  3. Implement additional security measures, such as using a Web Application Firewall (WAF).

Conclusion

This incident underscores the importance of keeping WordPress plugins up to date and being vigilant about security issues. Proper management of plugins and timely application of patches can help safeguard your site from unexpected attacks.

We strongly recommend following the above measures to ensure your site’s security.

Skip to content