Two critical vulnerabilities have been identified and attached in the popular Anti-Spam by CleanTalk plugin, which protects over 200,000 WordPress websites worldwide. The flaw, discovered in October and November 2024, allowed unauthorised attackers to exploit authorisation bypass mechanisms, potentially enabling remote code execution.
The first vulnerability, identified by researchers as ‘Authorisation Bypass via Reverse DNS Spoofing (CVE-2024-10542),’ was disclosed on October 30 by security researcher ‘mikemyers.’
The flaw resides in the plugin’s ‘checkWithoutToken()’ function. Attackers can manipulate the IP resolution process to simulate a trusted domain (e.g., ‘cleantalk.org’) by spoofing the’ X-Client-Ip’ and’ X-Forwarded-By’ headers.
Use of the PHP ‘strpos()’ function, which only checks for the presence of a substring, further exposes the plugin to spoofing attacks through subdomains.
A subsequent vulnerability, ‘Authorisation Bypass due to Missing Empty Value Check (CVE-2024-10781), was discovered on November 4, during a review of the patch released for the first issue.
This second flaw, rated 9.8 on the CVSS scale, affects plugin versions 6.44 and earlier. It allows unauthorised access when the plugin’s unconfigured API key permits attackers to bypass authorisation checks.
Researchers observed that this issue stems from an incomplete validation mechanism during the API key authorisation process. If the API key is left empty, an attacker can exploit the plugin by submitting a token that matches the hash of an empty key.
This flaw affects plugin versions 6.43.2 and earlier, enabling attackers to install and activate arbitrary plugins by exploiting a reverse DNS spoofing weakness. A critical CVSS score of 9.8 underscores the severity of the issue.
This bypass allows the same unauthorised actions as the earlier vulnerability, including plugin manipulation.
Both vulnerabilities could enable remote code execution when exploited alongside another vulnerable plugin.
Researchers have advised Anti-Spam by CleanTalk to the latest version of the plugin. Given the critical score of these vulnerabilities, delay in updating could expose websites to severe security risks.
In the News: Neuralink approved for robotic arm feasibility study
