Top WordPress anti-spam plugin may actually be putting your site at risk of attack

27 November 2024, 17:38 published

[ad_1]

Researchers found two flaws in a popular WordPress plugin
Flaws allow threat actors to install malicious plugins and run arbitrary code
A patch is already available, so WordPress users should update now

A major anti-spam plugin for top website builder WordPress carried a pair of critical severity vulnerabilities which allowed threat actors to install plugins at will, and even execute arbitrary code, remotely.

The bugs have since been patched, and users are advised to deploy them as soon as possible.

The vulnerable plugin is called “Spam protection, Anti-Spam, and Firewall”, and was built by CleanTalk, a company developing spam protection for WordPress, Joomla, Drupal, and other website builders.

Popular plugin

The plugin carried two flaws: one tracked as CVE-2024-10542, and one tracked as CVE-2024-10781. The first has a severity score of 9.8 – critical, while the second 8.1 – high.

The former is an unauthorized Arbitrary Plugin Installation bug, that occurs due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function. As a result, unauthenticated attackers get to install and activate arbitrary plugins which, in some scenarios, can be leveraged to achieve remote code execution.

The latter, on the other hand, is an unauthorized Arbitrary Plugin Installation that occurs due to an missing empty value check on the ‘api_key’ value in the ‘perform’ function. The results are the same – achieving remote code execution in certain scenarios (when another vulnerable plugin is installed and activated).

Spam protection, Anti-Spam, and Firewall is a major WordPress plugin, installed on more than 200,000 websites, at press time. The bug was first spotted by a researcher with the alias ‘mikemyers’ who reported their findings to WordFence, a project that researches WordPress vulnerabilities.

WordFence reached out to CleanTalk in late October 2024 who, a few days later, came forward with a patch. “We would like to commend the CleanTalk team for their prompt response and timely patch,” WordFence said.

Users are urged to update their sites with the latest patched version, which was 6.45.2 at press time.

[ad_2]

Source link

Joy

Cong.

Loved

Surprised

Unliked

Mad

Top WordPress anti-spam plugin may actually be putting your site at risk of attack

Comment

Top WordPress anti-spam plugin may actually be putting your site at risk of attack

Write a Reply Cancel

You may be interested

The Galaxy S25 could have genuinely useful AI features that trump Apple Intelligence – including these 5 tricks

Access Denied

Access Denied

I’ve been waiting years for ChatGPT’s new Tasks feature – here’s how I’m planning to use it to organize my life

Access Denied

Wrexham’s new stadium plans get even BIGGER after Ryan Reynolds revealed vision for 55,000-seater ground

150TB SSD modules to go mainstream in 2025, and Micron is getting a slice of that pie

Nvidia abandons the problematic 12VHPWR RTX 4080 power connector with a much longer one for the RTX 5080 FE according to leaked images

Access Denied

Transfer news LIVE: Saudis set to offer Mohamed Salah £65m, Marcus Rashford EXCLUSIVE, Trent Alexander-Arnold TWIST

Top WordPress anti-spam plugin may actually be putting your site at risk of attack

Share This Post

or copy the link

Related News

Write a Reply Cancel

You may be interested