Two critical vulnerabilities in the widely used Anti-Spam by CleanTalk WordPress plugin have been disclosed, potentially exposing over 200,000 websites to compromise. These vulnerabilities enable unauthenticated attackers to bypass authorization mechanisms, install malicious plugins, and execute arbitrary code. Immediate action is required to secure affected websites.
Vulnerability Details
1. CVE-2024-10542
- Severity: Critical (CVSS 9.8)
- Vulnerability Type: Authorization Bypass via Reverse DNS Spoofing
- Description:
- The plugin determines IP addresses using user-defined headers (X-Client-Ip and X-Forwarded-By).
- These headers can be manipulated through IP address spoofing, allowing attackers to bypass authentication checks and gain unauthorized administrative access.
- Exploitation enables attackers to install and activate plugins remotely.
2. CVE-2024-10781
- Severity: Critical (CVSS 9.8)
- Vulnerability Type: Missing Empty Value Check for API Key
- Description:
- The plugin does not validate whether the API key is empty.
- Websites with unconfigured API keys are vulnerable to unauthorized actions, such as remote plugin installation and activation.
Affected Versions
- Anti-Spam by CleanTalk plugin versions prior to 6.45.
Impact Assessment
- Risk Level: Critical
- Potential Impacts:
- Unauthorized Access: Attackers can bypass security mechanisms.
- Code Execution: Execution of arbitrary code via malicious plugin installations.
- Website Takeover: Full compromise of vulnerable WordPress sites.
Mitigation and Recommendations
1. Update to Patched Version
- Upgrade to Anti-Spam by CleanTalk version 6.45 or later.
- Check the plugin repository or WordPress admin dashboard for updates.
2. Hardening Measures
- Enable Web Application Firewalls (WAF): A WAF can block unauthorized access attempts and protect against exploits.
- Verify API Key Configuration: Ensure that all API keys are properly configured to avoid vulnerability exploitation.
- Restrict Access to Admin Panels: Use IP whitelisting or VPNs to limit administrative access.
3. Regular Maintenance
- Update all WordPress plugins, themes, and core installations regularly.
- Conduct periodic security audits to identify and mitigate misconfigurations.
4. Monitor Website Activity
- Use monitoring tools to detect unusual behaviors, such as unauthorized plugin activations or admin logins.
Indicators of Compromise (IoCs)
- Unexpected installation or activation of unknown plugins.
- Suspicious administrative login activity, especially from unfamiliar IP addresses.
- Unexplained changes to website content or functionality.
Action Plan
- Immediate Response:
- Update the Anti-Spam by CleanTalk plugin to the latest version (6.45 or later).
- Validate API key configurations to prevent unauthorized access.
- Preventive Measures:
- Enable a Web Application Firewall to block unauthorized access attempts.
- Regularly audit website settings for misconfigurations or outdated plugins.
- Long-term Monitoring:
- Monitor admin activity logs for unusual behaviors.
- Regularly review plugin update statuses.
References
- Wordfence Threat Intelligence Advisory
- Official WordPress Plugin Repository: Anti-Spam by CleanTalk
Summary
The vulnerabilities in the Anti-Spam by CleanTalk plugin highlight the critical importance of timely updates and robust security practices. Websites running this plugin must update immediately to prevent exploitation. Employing firewalls, monitoring, and routine updates can mitigate risks and protect against future vulnerabilities.
