Two severe security vulnerabilities have been discovered in the WordPress plugin "Spam Protection, Anti-Spam, and FireWall." These flaws could allow unauthenticated attackers to install and activate malicious plugins on affected sites, potentially leading to remote code execution (RCE).

The vulnerabilities, identified as CVE-2024-10542 and CVE-2024-10781, have been given a high severity rating with a CVSS score of 9.8 out of 10. Fixes for these issues were released in versions 6.44 and 6.45 of the plugin earlier this month.

Plugin Overview

The plugin, developed by CleanTalk, is installed on over 200,000 WordPress websites. It is marketed as a "universal anti-spam plugin" capable of blocking spam comments, registrations, surveys, and other forms of unwanted content.

Nature of the Vulnerabilities

According to Wordfence, the vulnerabilities are tied to authorization bypass flaws. These issues could enable attackers to install and activate arbitrary plugins. If one of these plugins contains exploitable code, it could allow for remote code execution.

1. CVE-2024-10781

• This vulnerability stems from a missing check for empty values in the api_key parameter within the perform function. This oversight exists in all versions up to and including 6.44.
• Security researcher István Márton highlighted that this flaw enables unauthorized arbitrary plugin installation.

1. CVE-2024-10542

• This issue arises from an authorization bypass via reverse DNS spoofing in the checkWithoutToken() function.

Successful exploitation of these vulnerabilities could allow attackers to install, activate, deactivate, or even uninstall plugins on a compromised site.

Recommendations

Website administrators using the plugin are strongly urged to update to the latest patched version (6.45 or newer) immediately to protect their sites from potential attacks.

Broader WordPress Threat Landscape

These vulnerabilities add to ongoing concerns about WordPress site security. Sucuri recently reported active campaigns leveraging compromised WordPress sites to:

• Inject malicious code that redirects visitors to fraudulent websites.
• Steal login credentials through phishing schemes.
• Deploy malware capable of capturing admin passwords.
• Redirect users to scam sites such as VexTrio Viper.
• Execute arbitrary PHP code on servers.

Given the widespread use of WordPress, users are advised to regularly update plugins, use strong passwords, and monitor their sites for suspicious activity.