Digital security is one of the most important pillars for website management, especially when we talk about widely used platforms like WordPress. Recently, two critical flaws were identified in the WordPress Spam protection plugin, Anti-Spam, FireWall , widely used by more than 200 thousand websites .
These vulnerabilities allow unauthenticated attackers to install and activate arbitrary plugins, potentially leading to remote code execution. With a CVSS score of 9.8 out of 10, these flaws pose a high risk to administrators who fail to update their systems.
This post details these vulnerabilities, their causes, impacts and recommended measures to mitigate the risks.
What were the critical flaws in the WordPress plugin?
The flaws discovered in the CleanTalk plugin have been identified as CVE-2024-10542 and CVE-2024-10781, both classified as critical due to their severity and ease of exploitation.
CVE-2024-10542: Authorization bypass via reverse DNS spoofing
This flaw occurs in the function checkWithoutToken(), which checks instagram data permissions based on IP address and domain name. The vulnerability allows attackers to use spoofing to forge DNS data, bypassing security authentication and gaining access to functions such as installing, activating, and deactivating plugins.
Impact
Attackers can install vulnerable plugins and execute malicious code.
The security of unprotected websites can be completely compromised.
CVE-2024-10781: Missing empty value check
In this case, the flaw is related to the lack of verification of the API key value ( api_key). When not configured, the empty key can be exploited by attackers to authorize actions as if they were legitimate administrators.
Impact
Malicious authorizations can be performed without the need for credentials.
Critical functionality may be manipulated by unauthorized third parties.
Both vulnerabilities require immediate attention, considering that they can compromise the integrity of the website, stored data and user experience.