Full Report
Two critical security flaws impacting the Spam protection, Anti-Spam, and FireWall plugin WordPress could allow an unauthenticated attacker to install and enable malicious plugins on susceptible sites and potentially achieve remote code execution. The vulnerabilities, tracked as CVE-2024-10542 and CVE-2024-10781, carry a CVSS score of 9.8 out of a maximum of 10.0. They were addressed in versions
Analysis Summary
# Vulnerability: Critical Authorization Bypass in WordPress Anti-Spam Plugin Allows Arbitrary Plugin Installation
## CVE Details
- CVE ID: CVE-2024-10542, CVE-2024-10781
- CVSS Score: 9.8 (Critical)
- CWE: Not explicitly stated, related to Authorization Bypass (CWE-284)
## Affected Systems
- Products: Spam protection, Anti-Spam, and FireWall plugin by CleanTalk for WordPress.
- Versions: All versions up to and including 6.44 (for CVE-2024-10781). Version prior to 6.45 and 6.44 for CVE-2024-10542.
- Configurations: WordPress sites using the affected plugin.
## Vulnerability Description
Two critical vulnerabilities allow an unauthenticated attacker to perform unauthorized actions on vulnerable WordPress sites, primarily concerning plugin management.
1. **CVE-2024-10781 (Authorization Bypass via Missing Check):** This flaw stems from a missing empty value check on the `'api_key'` value within the `perform` function, allowing an attacker to bypass authorization mechanisms.
2. **CVE-2024-10542 (Authorization Bypass via Reverse DNS Spoofing):** This vulnerability affects the `checkWithoutToken()` function and allows authorization bypass through reverse DNS spoofing.
Successful exploitation of either flaw permits an attacker to install, activate, deactivate, and uninstall arbitrary plugins on the targeted site.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but potential for severe impact implies high risk.
- Complexity: Likely Low, given the unauthenticated nature of the bypasses.
- Attack Vector: Network (via HTTP requests to the vulnerable WordPress instance).
## Impact
- Confidentiality: High (Arbitrary plugin installation could lead to data exfiltration or credential theft).
- Integrity: High (Ability to install/modify plugins allows for complete site compromise and execution of arbitrary code).
- Availability: High (Attackers can uninstall or deactivate critical site components).
## Remediation
### Patches
- Update to version **6.45** or later to resolve both CVEs.
### Workarounds
- No specific workarounds were detailed in the provided text, but network-level filtering or tight access controls on the plugin's endpoints could serve as temporary measures until patching is complete.
## Detection
- Detection methods typically involve monitoring web application logs for anomalous requests targeting plugin management functions associated with the CleanTalk plugin.
- Indicators of Compromise (IOCs) would include the sudden appearance, activation, or deactivation of unknown plugins on the WordPress installation, potentially leading to malicious redirects or code execution.
## References
- Vendor advisory (Implicitly through the release of 6.44 and 6.45 updates).
- Researcher Report: hxxps://www.wordfence.com/blog/2024/11/200000-wordpress-sites-affected-by-unauthenticated-critical-vulnerabilities-in-anti-spam-by-cleantalk-wordpress-plugin/