Two critical security vulnerabilities affecting the Spam Protection, Anti-Spam, and Firewall plugin for WordPress could enable unauthenticated attackers to install and activate malicious plugins on vulnerable sites, potentially leading to remote code execution.
The flaws, identified as CVE-2024-10542 and CVE-2024-10781, have been assigned a CVSS score of 9.8 out of 10.0. Fixes were released in versions 6.44 and 6.45 earlier this month.
Used on over 200,000 WordPress sites, CleanTalk’s Spam Protection, Anti-Spam, and Firewall plugin is marketed as a “universal anti-spam plugin” designed to block spam comments, registrations, surveys, and more.
According to Wordfence, both vulnerabilities are linked to an authorization bypass issue that could allow attackers to install and activate arbitrary plugins. This could lead to remote code execution if the installed plugin contains exploitable vulnerabilities.
The plugin is “vulnerable to unauthorized Arbitrary Plugin Installation due to a missing empty value check on the ‘api_key’ parameter in the ‘perform’ function in all versions up to and including 6.44,” security researcher István Márton explained, referring to CVE-2024-10781.
Meanwhile, CVE-2024-10542 arises from an authorization bypass via reverse DNS spoofing in the checkWithoutToken() function.
Regardless of the attack vector, exploiting either flaw could allow an attacker to install, activate, deactivate, or uninstall plugins.
Users of the plugin are strongly urged to update to the latest patched version to mitigate potential risks.
This development coincides with Sucuri’s warning about multiple campaigns exploiting compromised WordPress sites. Threat actors are injecting malicious code to redirect site visitors to fraudulent ads, skim login credentials, deploy malware to capture admin passwords, redirect to VexTrio Viper scam pages, and execute arbitrary PHP code on servers.
Source: TheHackerNews
