WEBSITE RISK - Wordpress
26 Nov 2024
Wordpress websites have two critical vulnerabilities released to urgently fix !
Two significant security vulnerabilities affecting the Spam Protection, Anti-Spam, and Firewall plugin for WordPress could enable unauthenticated attackers to install and activate malicious plugins on vulnerable sites, potentially leading to remote code execution.
These flaws, identified as CVE-2024-10542 and CVE-2024-10781, have been assigned a high CVSS score of 9.8 out of 10. They have been resolved in plugin versions 6.44 and 6.45, released earlier this month.
The plugin, created by CleanTalk, is a "universal anti-spam plugin" designed to block spam in comments, registrations, surveys, and more. It is installed on over 200,000 WordPress sites worldwide.
According to Wordfence, the vulnerabilities arise from authorization bypass issues that could allow attackers to install and activate unauthorized plugins. If these plugins contain vulnerabilities, they could lead to remote code execution.
Researcher István Márton highlighted that CVE-2024-10781 is caused by an insufficient check for empty values in the 'api_key' parameter within the 'perform' function, affecting all versions up to 6.44. Meanwhile, CVE-2024-10542 is tied to an authorization bypass via reverse DNS spoofing in the checkWithoutToken() function.
If exploited, these vulnerabilities could give attackers control over plugin installation, activation, deactivation, and even removal.
Users are strongly encouraged to update to the latest version of the plugin to mitigate potential risks.
This issue coincides with warnings from Sucuri about ongoing campaigns targeting compromised WordPress sites. These campaigns inject malicious code to redirect visitors, steal login credentials, drop malware, or execute arbitrary PHP code on servers.
LoughTec are cyber security experts, does your website or business IT infrastructure need a cyber risk assessment ?
Click on the following links for more information on how LoughTec can help on web-application-testing or a cyber-attack-assessment
news source = https://thehackernews.com/2024/11/critical-wordpress-anti-spam-plugin.html
Back