Why trust Greenbot
Over 200,000 WordPress sites have been left vulnerable to attacks due to critical flaws in the popular CleanTalk Anti-Spam plugin. These vulnerabilities, which could allow attackers to gain full control of websites without any authentication, have now been fixed in recent updates, but many site owners have yet to install the patches.
The affected plugin, CleanTalk Anti-Spam, is a popular tool designed to block spam comments, form submissions, and registrations on WordPress websites. Security researchers first discovered its two flaws in late October 2024, including a researcher known as “mikemyers.” These were reported through the Wordfence Bug Bounty Program. Eventually, both were patched in versions 6.44 and 6.45 of the plugin, released on November 1 and November 14 respectively.
The vulnerabilities were found to be CVE-2024-10542 and CVE-2024-10781. Their CVSS scores showed 9.8 and 8.1, indicating the high level of risk they pose. These vulnerabilities happen because of weak security checks, letting attackers install and activate plugins without logging in, potentially leading to remote code execution on affected websites.
“Both vulnerabilities concern an authorization bypass issue that could allow a malicious actor to install and activate arbitrary plugins,” explained István Márton, a security researcher at Wordfence/Defiant.
The first flaw allows attackers to spoof the DNS to make it seem as though malicious requests are coming from the legitimate website itself. “The attacker can then perform any of the actions behind this intended authorization check, such as plugin installation, activation, deactivation, or uninstallation,” the Defiant security team warns.
The second vulnerability takes advantage of the lack of an empty value check in the plugin’s authorization process. Like the first, it enables attackers to authenticate with an empty value if the API key is not configured.
Wordfence has already provided protection against these flaws for its Premium, Care, and Response users since the discovery. Free Wordfence users will receive the same protection 30 days later—on November 29 for the first vulnerability and on December 4 for the second one.
WordPress site owners are urged to ensure that their plugins are up to date. As of November 28, roughly half of the plugin’s active installations have not yet been updated, leaving many sites vulnerable to attack.
Administrators are strongly advised to update the CleanTalk Anti-Spam plugin to version 6.45 or later as soon as possible. This update should address both vulnerabilities, significantly reducing the risks.
With over 200,000 WordPress sites affected, these vulnerabilities are a stark reminder of the importance of keeping website plugins up to date. For those still using older versions, the risk of exploitation remains high, and taking immediate action could be the difference between staying secure and falling victim to an attack.
