Arbitrary Plugin Installation Vulnerability in CleanTalk WordPress Plugin
CVE-2024-10781

8.1HIGH

Key Information:

Vendor
Wordpress
Status
Spam Protection, Anti-spam, Firewall By Cleantalk
Vendor
CVE Published:
26 November 2024

Badges

👾 Exploit Exists📰 News Worthy

Summary

The CleanTalk Spam Protection plugin for WordPress, specifically versions up to and including 6.44, has a critical vulnerability that allows unauthorized users to perform arbitrary plugin installations. This flaw arises from a missing empty value check for the 'api_key' parameter in the 'perform' function. As a result, unauthenticated attackers can exploit this oversight to install and activate any arbitrary plugin. If another vulnerable plugin is already in use, this security hole could lead to remote code execution, jeopardizing the integrity and security of the affected WordPress sites.

Affected Version(s)

Spam protection, Anti-Spam, FireWall by CleanTalk * <= 6.44

News Articles

favicon imageSecurityWeek

Critical Vulnerabilities Found in Anti-Spam Plugin Used by 200,000 WordPress Sites

Two vulnerabilities in the Anti-Spam by CleanTalk WordPress plugin allowed attackers to execute arbitrary code remotely.

2 months ago

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/cleantalk-spam...
https://plugins.trac.wordpress.org/browser/cleantalk-spam...

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by SecurityWeek

  • Vulnerability published

  • Vulnerability Reserved

Credit

István Márton
.