November 26, 2024 at 08:42AM
Two critical vulnerabilities (CVE-2024-10542 and CVE-2024-10781) in WordPress’s CleanTalk plugin could enable attackers to install malicious plugins, potentially leading to remote code execution. With a CVSS score of 9.8, users are urged to update to versions 6.44 or 6.45 to mitigate risks against unauthorized access.
**Meeting Takeaways: Vulnerability / Website Security Update**
**Date:** November 26, 2024
**Attendee:** Ravie Lakshmanan
1. **Critical Security Flaws Identified:**
– Two vulnerabilities in the **CleanTalk Spam protection, Anti-Spam, FireWall plugin** for WordPress have been discovered, allowing unauthenticated attackers to install and enable malicious plugins, leading to potential remote code execution.
– Vulnerabilities tracked as **CVE-2024-10542** and **CVE-2024-10781**, both with a high severity **CVSS score of 9.8**.
2. **Affected Plugin Overview:**
– The CleanTalk plugin is installed on over **200,000 WordPress sites** and is marketed as a universal anti-spam solution.
3. **Technical Details:**
– **CVE-2024-10781:** Vulnerable due to a missing empty value check on the ‘api_key’ in the ‘perform’ function across all versions up to **6.44**.
– **CVE-2024-10542:** Caused by an authorization bypass related to reverse DNS spoofing on the **checkWithoutToken()** function.
– Exploitation could allow attackers to **install, activate, deactivate, or uninstall** plugins.
4. **Addressed Versions:**
– Vulnerabilities were patched in versions **6.44** and **6.45** released in November 2024.
5. **User Advisory:**
– Users are advised to **update to the latest versions** immediately to mitigate potential risks.
6. **Broader Context:**
– **Sucuri** alerts of ongoing campaigns exploiting compromised WordPress sites for various malicious activities, including redirecting visitors, credential skimming, and deploying malware.
7. **Next Steps:**
– Ensure proper communication to all users regarding the vulnerabilities and updates needed for security compliance.
– Monitor for any further security developments and maintain awareness of ongoing threats in the WordPress ecosystem.
**Follow-Up:** Further discussions on improving security measures for our websites may be warranted based on these vulnerabilities. Consider scheduling a meeting with the IT security team to address potential actions.