Two critical vulnerabilities in CleanTalk’s anti-spam plugin for WordPress could allow attackers to execute arbitrary code remotely, without authentication, Defiant warns.

The issues, tracked as CVE-2024-10542 and CVE-2024-10781 (CVSS score of 9.8), affect the ‘Spam protection, Anti-Spam, FireWall by CleanTalk’ plugin, which has more than 200,000 active installations.

Both flaws could allow remote, unauthenticated attackers to install and activate arbitrary plugins, including vulnerable plugins that could be exploited for remote code execution (RCE).

CVE-2024-10542, Defiant explains, is an authorization bypass affecting a function handling remote calls and plugin installations, and which performs token authorization for these actions.

Two other functions that are used to check the originating IP address and the domain name are vulnerable to IP and DNS spoofing, allowing attackers to specify an IP and a subdomain they control and bypass the authorization.

“The attacker can then perform any of the actions behind this intended authorization check, such as plugin installation, activation, deactivation or uninstallation,” Defiant explains.

The flaw was found in late October and was resolved on November 1 with the release of version 6.44 of the plugin. The patched iteration, however, was found vulnerable to CVE-2024-10781, another method of bypassing the token authorization.

Because the token can be authorized through hash comparison with the API key, if a website has not configured the API key in the plugin, an attacker can authorize themselves “using a token matching the empty hash value”, Defiant explains.

The same as with the first vulnerability, successful exploitation of CVE-2024-10781 allows an attacker to install and activate arbitrary plugins and then exploit them for RCE.

Spam protection, Anti-Spam, FireWall by CleanTalk version 6.45 was released on November 14 with patches for the second vulnerability.

According to WordPress data, as of November 26, roughly half of the plugin’s active installations do not run a patched version, meaning they are potentially exposed to exploitation attempts.

Users are advised to update to version 6.45 as soon as possible, as it contains fixes for both security defects.

Related: Critical Plugin Flaw Exposed 4 Million WordPress Websites to Takeover

Related: Several Vulnerabilities Patched With Release of WordPress 5.0.1

Related: Vulnerabilities in Etherpad Collaboration Tool Allow Data Theft

Related: Vulnerabilities in Visual Studio Code Extensions Expose Developers to Attacks