Critical Vulnerabilities Found in Anti-Spam Plugin Used by 200,000 WordPress Sites

Two vulnerabilities in the Anti-Spam by CleanTalk WordPress plugin allowed attackers to execute arbitrary code remotely.

Two critical vulnerabilities in CleanTalk’s anti-spam plugin for WordPress could allow attackers to execute arbitrary code remotely, without authentication, Defiant warns.

The issues, tracked as CVE-2024-10542 and CVE-2024-10781 (CVSS score of 9.8), affect the ‘Spam protection, Anti-Spam, FireWall by CleanTalk’ plugin, which has more than 200,000 active installations.

Both flaws could allow remote, unauthenticated attackers to install and activate arbitrary plugins, including vulnerable plugins that could be exploited for remote code execution (RCE).

CVE-2024-10542, Defiant explains, is an authorization bypass affecting a function handling remote calls and plugin installations, and which performs token authorization for these actions.

Two other functions that are used to check the originating IP address and the domain name are vulnerable to IP and DNS spoofing, allowing attackers to specify an IP and a subdomain they control ...