The best WordPress anti-spam plugin can put your site at risk of attack
- Researchers discovered two flaws in a popular WordPress plugin
- Flaws allow threat actors to install malicious plugins and execute arbitrary code
- A patch is already available, so WordPress users should update now
A major anti-spam plugin for top website builder WordPress contained a number of critical vulnerabilities that allowed threat actors to install plugins at will and even execute arbitrary code, remotely.
The bugs have now been fixed and users are advised to implement them as soon as possible.
The vulnerable plugin is called “Spam Protection, Anti-Spam and Firewall” and was built by CleanTalk, a company that develops spam protection for WordPress, Joomla, Drupal and other website builders.
Popular plugin
The plugin had two flaws: one tracked as CVE-2024-10542 and one tracked as CVE-2024-10781. The first has a severity score of 9.8 – critical, while the second 8.1 – high.
The first is an unauthorized arbitrary plugin installation bug, which occurs due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function. As a result, unauthenticated attackers can install and activate arbitrary plugins that can be used to achieve remote code execution in some scenarios.
The latter, on the other hand, is an unauthorized random plugin installation that occurs due to a missing empty value check on the ‘api_key’ value in the ‘perform’ function. The results are the same: in certain scenarios, code is executed remotely (when another vulnerable plugin is installed and activated).
Spam Protection, Anti-Spam and Firewall is a major WordPress plugin installed on over 200,000 websites at the time of writing. The bug was first noticed by a researcher with the alias ‘mikemyers’, to whom he reported his findings WordFencea project that investigates WordPress vulnerabilities.
WordFence contacted CleanTalk in late October 2024, who came forward with a patch a few days later. “We would like to thank the CleanTalk team for their quick response and timely patch,” WordFence said.
Users are urged to update their sites with the latest patched version, which at the time of writing was 6.45.2.