A critical vulnerability was discovered on October 30th, 2024 in the Anti-Spam by CleanTalk WordPress plugin, potentially affecting over 200,000 active installations.
This flaw allows unauthenticated attackers to install and activate arbitrary plugins, which could lead to remote code execution on vulnerable sites.
Vulnerabilities that were discovered in the WordPress plugin are tracked as “CVE-2024-10542” and “CVE-2024-10781.”
Wordfence researchers identified that these two vulnerabilities were marked with the “Critical” tag with the score of 9.8 for both the vulnerabilities.
Here below we have mentioned the complete flaw profile for the above-mentioned two vulnerabilities that were identified in the plugin:-
Authorization Bypass via Reverse DNS Spoofing
- Affected versions: <= 6.43.2
- CVE ID: CVE-2024-10542
- CVSS Score: 9.8 (Critical)
- Patched in version 6.44
Authorization Bypass due to Missing Empty Value Check
- Affected versions: <= 6.44
- CVE ID: CVE-2024-10781
- CVSS Score: 9.8 (Critical)
- Patched in version 6.45
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
Technical Analysis
Authorization Bypass via Reverse DNS Spoofing
The vulnerability stems from the checkWithoutToken() function, which relies on IP address resolution and domain name checking. An attacker can exploit this by:-
- Spoofing the IP address using X-Client-Ip and X-Forwarded-By headers
- Using a domain containing “cleantalk.org” (cleantalk.org.evilsite.com)
This bypass allows unauthorized actions such as plugin installation, activation, deactivation, or uninstallation.
Authorization Bypass due to Missing Empty Value Check
This vulnerability arises from a lack of checks on empty API key values. If the API key is not configured, attackers can authorize themselves using a token matching the empty hash value.
Below we have mentioned the complete timeline:-
- October 30, 2024: Initial vulnerability reported and confirmed
- November 1, 2024: Partial patch (version 6.44) released
- November 4, 2024: Second vulnerability discovered
- November 14, 2024: Full patch (version 6.45) released
As a recommendation, researchers have recommended the following points:-
- Update Anti-Spam by CleanTalk to version 6.45 immediately
- Ensure proper configuration of the plugin’s API key
- Implement additional security measures, such as using a Web Application Firewall
This security incident highlights the importance of prompt security updates and responsible disclosure in the WordPress ecosystem.
Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.