A essential safety vulnerability has been found within the common WordPress plugin Anti-Spam by CleanTalk, which is put in on over 200,000 web sites.
The vulnerability, which incorporates two distinct flaws (CVE-2024-10542 and CVE-2024-10781), might enable attackers to put in and activate arbitrary plugins on affected web sites, doubtlessly resulting in distant code execution and full web site compromise.
Web site homeowners are urged to take instant motion by updating to the newest model of the plugin to safe their websites.
Vulnerabilities Overview
CVE-2024-10542: Authorization Bypass through Reverse DNS Spoofing
This vulnerability permits attackers to bypass authorization checks utilizing reverse DNS spoofing.
By exploiting the checkWithoutToken() perform, attackers can impersonate the CleanTalk servers, enabling them to put in and activate arbitrary plugins with out authentication.
CVE-2024-10781: Authorization Bypass as a consequence of Lacking Empty Worth Test
This flaw exposes web sites to unauthorized actions when the plugin’s API secret’s left configured.
Attackers can exploit this by authorizing themselves with an empty API key hash, and performing actions corresponding to plugin set up or activation.
Each vulnerabilities are categorised as essential as a consequence of their potential to permit distant code execution, which might compromise the integrity and safety of affected web sites.
Wordfence Premium, Care, and Response customers have already got energetic firewall guidelines to safeguard towards these vulnerabilities.
Technical Evaluation
Authorization Bypass through Reverse DNS Spoofing (CVE-2024-10542)
The flaw resides within the checkWithoutToken() perform, which checks whether or not a request originates from a CleanTalk server.
Nonetheless, the verification depends on the gethostbyaddr() perform, which could be tricked through DNS spoofing.
An attacker can craft a subdomain containing “cleantalk.org” (e.g., cleantalk.org.evilsite.com) to go the verify and bypass authorization. This grants the attacker the power to put in or activate malicious plugins.
Susceptible Code Snippet:
public static perform checkWithoutToken()
{
world $apbct;
$is_noc_request = ! $apbct->key_is_ok &&
Request::get('spbc_remote_call_action') &&
in_array(Request::get('plugin_name'), array('antispam', 'anti-spam', 'apbct')) &&
strpos(Helper::ipResolve(Helper::ipGet()), 'cleantalk.org') !== false;
}The misuse of strpos() to verify for the cleantalk.org string makes this perform weak to spoofing assaults.
Authorization Bypass as a consequence of Lacking Empty Worth Test (CVE-2024-10781)
The second vulnerability stems from a scarcity of validation for empty API keys. If the plugin’s API key just isn’t configured, attackers can exploit the fallback logic to authorize themselves by matching an empty hash worth.
This challenge is especially extreme because it impacts unconfigured plugins, which can be widespread amongst much less skilled web site directors.
Susceptible Code Snippet:
if (
($token === strtolower(md5($apbct->api_key)) ||
$token === strtolower(hash('sha256', $apbct->api_key))) ||
self::checkWithoutToken()
) {
// Authorization logic
}With out an API key, the hash comparability turns into trivial, permitting attackers to bypass safety measures.
The vulnerabilities had been responsibly disclosed via the Wordfence Bug Bounty Program by researchers mikemyers and István Márton.
This system incentivizes moral hacking to determine and handle vulnerabilities in WordPress plugins, with mikemyers receiving a bounty of $4,095 for his or her discovery.
Wordfence’s mission to safe the online continues to drive enhancements in WordPress safety. The invention of those essential vulnerabilities highlights the significance of well timed updates and proactive safety measures for WordPress web site homeowners.
Whereas the CleanTalk crew acted swiftly to patch the problems, web site directors should guarantee their websites are up to date to the newest model to keep away from exploitation. All the time prioritize safety to guard your web site and its customers from potential threats.
Analyze cyber threats with ANYRUN's highly effective sandbox. Black Friday Offers : Stand up to three Free Licenses.