Critical WordPress Anti-Spam Plugin Flaws Expose 200,000+ Sites to Remote Attacks

I show You how To Make Huge Profits In A Short Time With Cryptos!

Nov 26, 2024Ravie LakshmananVulnerability / Website Security

Two critical security flaws impacting the Spam protection, Anti-Spam, and FireWall plugin WordPress could allow an unauthenticated attacker to install and enable malicious plugins on susceptible sites and potentially achieve remote code execution.

The vulnerabilities, tracked as CVE-2024-10542 and CVE-2024-10781, carry a CVSS score of 9.8 out of a maximum of 10.0. They were addressed in versions 6.44 and 6.45 released this month.

Installed on over 200,000 WordPress sites, CleanTalk’s Spam protection, Anti-Spam, FireWall plugin is advertised as a “universal anti-spam plugin” that blocks spam comments, registrations, surveys, and more.

Cybersecurity

According to Wordfence, both vulnerabilities concern an authorization bypass issue that could allow a malicious actor to install and activate arbitrary plugins. This could then pave the way for remote code execution if the activated plugin is vulnerable of its own.

The plugin is “vulnerable to unauthorized Arbitrary Plugin Installation due to a missing empty value check on the ‘api_key’ value in the ‘perform’ function in all versions up to, and including, 6.44,” security researcher István Márton said, referring to CVE-2024-10781.

On the other hand, CVE-2024-10542 stems from an authorization bypass via reverse DNS spoofing on the checkWithoutToken() function.

Regardless of the bypass method, successful exploitation of the two shortcomings could allow an attacker to install, activate, deactivate, or even uninstall plugins.

Cybersecurity

Users of the plugin are advised to ensure that their sites are updated to the latest patched version to safeguard against potential threats.

The development comes as Sucuri has warned of multiple campaigns that are leveraging compromised WordPress sites to inject malicious code responsible for redirecting site visitors to other sites via bogus ads, skimming login credentials, as well as drop malware that captures admin passwords, redirects to VexTrio Viper scam sites, and execute arbitrary PHP code on the server.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

سكس محارم حقيقي awktec.com xnxxقطر sleeping mom hentai hentaipics.org dog days anime hentai small cock sfico.info thaman sex x videos movies penyporn.mobi village girls xnxx kerelasex xxx-tube-list.info hd naked sex video
ローカルテレビ局統括プロデューサー g爆乳淫獣妻 設楽アリサ 42歳 avデビュー 細身に似つかわしくないgカップ人妻と眼鏡が曇るほど熱く激しい超濃密セックス sakurajav.mobi 音あずさ 無修正 selfie porn bdsmporntrends.com sholay hindi movie full hd sexy beerus mirhentai.com gragas hentai يلا اباحيه farmsextube.net سكس في الغردقه punjabi sexy movie hd hqtube.mobi rape scandal mms
karasuma pink xhentaisex.com aisai nettori puja sex story pornorolik.org www worldsex.com quantico sex pornstarslist.info peporonity red tube.com indian bravosex.mobi nepali pussy indian fsiblog com gotubexxx.com chaturbate indian