Two critical vulnerabilities in the Anti-Spam by CleanTalk WordPress plugin have left more than 200,000 websites at risk. These issues, identified as Authorization Bypass via Reverse DNS Spoofing and Authorization Bypass due to Missing Empty Value Check, could allow attackers to install and activate plugins without authentication, potentially leading to remote code execution when paired with other vulnerable plugins.
Discovery and timeline
The vulnerabilities were first reported on October 30, 2024, by researcher mikemyers, through the Wordfence Bug Bounty Program. The first vulnerability, tracked as CVE-2024-10542, allowed attackers to bypass authorization checks by manipulating how the plugin resolved IP addresses. On November 4, 2024, during a routine patch review, Wordfence researchers identified a second flaw, CVE-2024-10781, caused by insufficient validation of empty API keys.
Wordfence validated the initial report the same day it was submitted and collaborated with CleanTalk to ensure the vulnerabilities were addressed promptly. The first fix was released on November 1, 2024, and a full resolution came with version 6.45 on November 14, 2024.
Technical breakdown
CVE-2024-10542: Authorization Bypass via Reverse DNS Spoofing
This vulnerability arose from the ‘checkWithoutToken' function, which used reverse DNS lookups to confirm the originating server’s domain. Attackers could manipulate the function by spoofing IP headers or crafting subdomains that included the string cleantalk.org. This allowed unauthorized plugin installation and activation, creating opportunities for malicious actions, including remote code execution if combined with other vulnerabilities.
CVE-2024-10781: Authorization Bypass due to Missing Empty Value Check
The second issue stemmed from the plugin failing to validate API keys that were left blank. On sites without a configured API key, attackers could authenticate themselves using a token derived from the empty key, enabling them to execute actions similar to those exploited in the first vulnerability.
CleanTalk’s response
The CleanTalk team acted swiftly to address these issues. The initial vulnerability was partially patched on November 1, 2024, with version 6.44. After Wordfence identified the second flaw, a fully patched version, 6.45, was released on November 14, 2024. CleanTalk’s prompt response highlights its commitment to maintaining user security and protecting the WordPress ecosystem.
The Anti-Spam by CleanTalk plugin is widely used to protect WordPress sites from spam and malicious activity, making these vulnerabilities particularly impactful. Site owners are urged to update to the latest version (6.45) immediately to secure their installations. Additionally, ensuring the plugin is correctly configured with an API key can help mitigate risks associated with misconfiguration.
Wordfence recommends regularly reviewing site logs to identify unauthorized plugin installations and keeping all plugins updated to their latest versions.
Leave a Reply