Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Top WordPress anti-spam plugin may actually be putting your site at risk of attack

Security .

  • Researchers found two flaws in a popular WordPress plugin
  • Flaws allow threat actors to install malicious plugins and run arbitrary code
  • A patch is already available, so WordPress users should update now

A major anti-spam plugin for top website builder WordPress carried a pair of critical severity vulnerabilities which allowed threat actors to install plugins at will, and even execute arbitrary code, remotely.

The bugs have since been patched, and users are advised to deploy them as soon as possible.

The vulnerable plugin is called “Spam protection, Anti-Spam, and Firewall”, and was built by CleanTalk, a company developing spam protection for WordPress, Joomla, Drupal, and other website builders.

The plugin carried two flaws: one tracked as CVE-2024-10542, and one tracked as CVE-2024-10781. The first has a severity score of 9.8 - critical, while the second 8.1 - high.

The former is an unauthorized Arbitrary Plugin Installation bug, that occurs due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function. As a result, unauthenticated attackers get to install and activate arbitrary plugins which, in some scenarios, can be leveraged to achieve remote code execution.

The latter, on the other hand, is an unauthorized Arbitrary Plugin Installation that occurs due to an missing empty value check on the 'api_key' value in the 'perform' function. The results are the same - achieving remote code execution in certain scenarios (when another vulnerable plugin is installed and activated).

Spam protection, Anti-Spam, and Firewall is a major WordPress plugin, installed on more than 200,000 websites, at press time. The bug was first spotted by a researcher with the alias ‘mikemyers’ who reported their findings to WordFence, a project that researches WordPress vulnerabilities.

WordFence reached out to CleanTalk in late October 2024 who, a few days later, came forward with a patch. “We would like to commend the CleanTalk team for their prompt response and timely patch,” WordFence said.

Users are urged to update their sites with the latest patched version, which was 6.45.2 at press time.

You might also like

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.