Share This:

Cybersecurity Threat Advisory

Two critical security flaws have been identified in a WordPress plugin—Anti-Spam by CleanTalk. This plugin is installed on more than 200,000 websites. Review this Cybersecurity Threat Advisory to learn how to mitigate your risks from these vulnerabilities.

 

What is the threat?

The two critical vulnerabilities in the WordPress Spam Protection, Anti-Spam and Firewall plugins, allow unauthenticated attackers to install and activate malicious plugins on affected sites, and perform remote code execution (RCE). The vulnerabilities, identified as CVE-2024-10542 and CVE-2024-10781, have a CVSS score of 9.8 out of 10.0. Security patches were made available in versions 6.44 and 6.45 released earlier this month.

Why is this noteworthy?

These two vulnerabilities can be quite damaging. CVE-2024-10542 is an authorization bypass via reverse DNS spoofing flaw. By exploiting the checkWithoutToken() function, attackers can mimic CleanTalk’s servers, allowing them to install and activate arbitrary plugins without authentication.

CVE-2024-10781 is an authorization bypass due to missing empty value check flow. This vulnerability exposes websites to unauthorized actions when the plugin’s API key remains unconfigured. Attackers can exploit this flaw by using an empty API key hash to authorize themselves and perform actions like installing or activating plugins.

Both vulnerabilities are considered critical because attackers can perform RCE to compromise the integrity and security of affected websites. Users of Wordfence Premium, Care, and Response already have active firewall rules in place to protect against these vulnerabilities.

What is the exposure or risk?

To exploit CVE-2024-10542, an attacker can create a subdomain like “cleantalk.org.evilsite.com” to deceive security check and bypass authorization. This allows the attacker to install or activate malicious plugins. The improper use of strpos() to check for the “cleantalk.org” string makes this function susceptible to spoofing attacks.

CVE-2024-10781 arises from the failure to validate empty API keys. If the plugin’s API key is not configured, attackers can exploit the fallback logic to authenticate themselves by matching an empty hash value. This issue is especially critical for unconfigured plugins, which may be common among less experienced site administrators. Without an API key, the hash comparison becomes simple to bypass, allowing attackers to circumvent security measures.

What are the recommendations?

Barracuda recommends the following actions to protect your environment against these vulnerabilities:

  • Update Anti-Spam by CleanTalk to version 6.45.
  • Ensure the plugin’s API key is properly configured.
  • Implement additional security measures, such as a Web Application Firewall, to protect your WordPress websites.

References

For more in-depth information about the recommendations, please visit the following links:

If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.


Share This:
Mandeep Gujral

Posted by Mandeep Gujral

Mandeep is a Cybersecurity Analyst at Barracuda MSP. She's a security expert, working on our Blue Team within our Security Operations Center. Mandeep supports our XDR service delivery and is highly skilled at analyzing security events to detect cyber threats, helping keep our partners and their customers protected.

Leave a reply

Your email address will not be published. Required fields are marked *