What vulnerabilities were discovered in the WordPress Anti-Spam by Cleantalk plugin?

Two critical vulnerabilities were discovered: 1) CVE-2024-10542 (CVSS 9.8) - a reverse DNS spoofing vulnerability allowing unauthorized plugin installation, and 2) CVE-2024-10781 (CVSS 9.8) - an authentication bypass vulnerability exploiting empty API key validation.

How do these vulnerabilities work?

The reverse DNS spoofing vulnerability exploits insufficient validation using strpos() function to check 'cleantalk.org' in hostnames. The authentication bypass vulnerability occurs due to improper API key validation, where empty API keys still process authorization tokens.

Which versions are affected and what is the impact?

Versions prior to 6.45 are affected, impacting more than 200,000 WordPress websites. Both vulnerabilities allow attackers to install arbitrary plugins, execute arbitrary code, and potentially gain complete control of affected websites.

How many WordPress sites are potentially affected?

The plugin is actively used on more than 200,000 WordPress websites, all of which are potentially vulnerable if running versions prior to 6.45.

Advisory

Critical flaws reported in WordPress Anti-Spam plugin by Cleantalk

Q: What fixes have been released?

Version 6.44 addresses the reverse DNS check vulnerability (CVE-2024-10542), while version 6.45, released in mid-November, patches both security flaws.

published: Nov. 26, 2024

Take action: If you are using WordPress Anti-Spam plugin by Cleantalk, update ASAP. There are two easily exploitable flaws, with full public writeup. Don't delay.

Learn More

Worldfence reports two critical flaws in WordPress Anti-Spam by Cleantalk plugin.

CVE-2024-10542 (CVSS score: 9.8) - A reverse DNS spoofing vulnerability allowing unauthenticated attackers to bypass authorization and install arbitrary plugins. The vulnerability stems from insufficient validation of reverse DNS lookups. The plugin uses the strpos() function to check if "cleantalk.org" appears anywhere in the hostname, making it possible to bypass security checks using subdomains like "cleantalk.org.malicious.domain".
CVE-2024-10781 (CVSS score: 9.8) - An authentication bypass vulnerability exploiting empty API key validation, enabling attackers to gain unauthorized access. The vulnerability exists due to improper API key validation. When the API key is empty or not configured, the plugin still processes authorization tokens, allowing attackers to authenticate using a token matching an empty hash value.

The vulnerabilities affect Anti-Spam by Cleantalk plugin versions prior to 6.45, which is actively used on more than 200,000 WordPress websites. Version 6.44 only addresses the reverse DNS check vulnerability (CVE-2024-10542), while version 6.45, released in mid-November, patches both security flaws.

Both vulnerabilities allow unauthenticated attackers to install and activate arbitrary plugins, execute arbitrary code on vulnerable WordPress instances, potentially gain complete control of affected websites.

Critical flaws reported in WordPress Anti-Spam plugin by Cleantalk

Read More
Critical command injection flaw reported in W3 Total …
All-in-One WP Migration vulnerable to unauthenticated access
Avada WordPress theme fixes arbitrary file upload flaw
Critical flaw reported in InstaWP Connect WordPress plugin
GiveWP donation plugin fixes critical flaw