- Researchers found two flaws in a popular WordPress plugin
- Flaws allow threat actors to install malicious plugins and run arbitrary code
- A patch is already available, so WordPress users should update now
A major anti-spam plugin for top website builder WordPress carried a pair of critical severity vulnerabilities which allowed threat actors to install plugins at will, and even execute arbitrary code, remotely.
The bugs have since been patched, and users are advised to deploy them as soon as possible.
The vulnerable plugin is called “Spam protection, Anti-Spam, and Firewall”, and was built by CleanTalk, a company developing spam protection for WordPress, Joomla, Drupal, and other website builders.
Popular plugin
The plugin carried two flaws: one tracked as CVE-2024-10542, and one tracked as CVE-2024-10781. The first has a severity score of 9.8 – critical, while the second 8.1 – high.
The former is an unauthorized Arbitrary Plugin Installation bug, that occurs due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function. As a result, unauthenticated attackers get to install and activate arbitrary plugins which, in some scenarios, can be leveraged to achieve remote code execution.
The latter, on the other hand, is an unauthorized Arbitrary Plugin Installation that occurs due to an missing empty value check on the ‘api_key’ value in the ‘perform’ function. The results are the same – achieving remote code execution in certain scenarios (when another vulnerable plugin is installed and activated).
Spam protection, Anti-Spam, and Firewall is a major WordPress plugin, installed on more than 200,000 websites, at press time. The bug was first spotted by a researcher with the alias ‘mikemyers’ who reported their findings to WordFence, a project that researches WordPress vulnerabilities.
WordFence reached out to CleanTalk in late October 2024 who, a few days later, came forward with a patch. “We would like to commend the CleanTalk team for their prompt response and timely patch,” WordFence said.
Users are urged to update their sites with the latest patched version, which was 6.45.2 at press time.