A critical vulnerability was discovered on October 30th, 2024 in the Anti-Spam by CleanTalk WordPress plugin, potentially affecting over 200,000 active installations.
This flaw allows unauthenticated attackers to install and activate arbitrary plugins, which could lead to remote code execution on vulnerable sites.
Vulnerabilities that were discovered in the WordPress plugin are tracked as “CVE-2024-10542” and “CVE-2024-10781.”
Wordfence researchers identified that these two vulnerabilities were marked with the “Critical” tag with the score of 9.8 for both the vulnerabilities.
Here below we have mentioned the complete flaw profile for the above-mentioned two vulnerabilities that were identified in the plugin:-
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
The vulnerability stems from the checkWithoutToken() function, which relies on IP address resolution and domain name checking. An attacker can exploit this by:-
This bypass allows unauthorized actions such as plugin installation, activation, deactivation, or uninstallation.
This vulnerability arises from a lack of checks on empty API key values. If the API key is not configured, attackers can authorize themselves using a token matching the empty hash value.
Below we have mentioned the complete timeline:-
As a recommendation, researchers have recommended the following points:-
This security incident highlights the importance of prompt security updates and responsible disclosure in the WordPress ecosystem.
Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.
The post WordPress Plugin Flaw Exposes 200,000 WordPress Sites To Hacking appeared first on Cyber Security News.