A security vulnerability was recently discovered in the WordPress plugin Spam protection, Anti-Spam, FireWall plugin by CleanTalk by researchers at Wordfence, a full security plugin for WordPress.
The plugin aims to keep spam at bay on WordPress websites, which power many websites on the web, by protecting forms and other features on your websites from fake or bot traffic. But the recently found vulnerabilities lie in some of the backend checks.
On the plugin overview page on WordPress, activate installations are over 200,000, leaving many of those websites not updated at risk to remote attacks.
Vulnerabilities
In the vulnerability tagged CVE-2024-10542 (critical score of 9.8), a malicious user can spoof their DNS to impersonate CleanTalk servers and can remove or install plugins where they can possibly install a vulnerable, controlled plugin.
In the vulnerability tagged CVE-2024-10781 (also scored critical at 9.8), a flaw was found on websites with misconfigured API credentials. This allowed users to send empty API values and, with the lack of checks on missing values, gain full authentication.
Website owners running WordPress and using the Spam protection, Anti-Spam, FireWall plugin are encouraged to verify their versions and update if needed to at least version 6.45. The current latest version available is 6.45.2.
Leave a Reply