info@thehackernews.com (The Hacker News)
2024-11-26 08:23:00
thehackernews.com
Two critical security flaws impacting the Spam protection, Anti-Spam, and FireWall plugin WordPress could allow an unauthenticated attacker to install and enable malicious plugins on susceptible sites and potentially achieve remote code execution.
The vulnerabilities, tracked as CVE-2024-10542 and CVE-2024-10781, carry a CVSS score of 9.8 out of a maximum of 10.0. They were addressed in versions 6.44 and 6.45 released this month.
Installed on over 200,000 WordPress sites, CleanTalk’s Spam protection, Anti-Spam, FireWall plugin is advertised as a “universal anti-spam plugin” that blocks spam comments, registrations, surveys, and more.
According to Wordfence, both vulnerabilities concern an authorization bypass issue that could allow a malicious actor to install and activate arbitrary plugins. This could then pave the way for remote code execution if the activated plugin is vulnerable of its own.
The plugin is “vulnerable to unauthorized Arbitrary Plugin Installation due to a missing empty value check on the ‘api_key’ value in the ‘perform’ function in all versions up to, and including, 6.44,” security researcher István Márton said, referring to CVE-2024-10781.
On the other hand, CVE-2024-10542 stems from an authorization bypass via reverse DNS spoofing on the checkWithoutToken() function.
Regardless of the bypass method, successful exploitation of the two shortcomings could allow an attacker to install, activate, deactivate, or even uninstall plugins.
Users of the plugin are advised to ensure that their sites are updated to the latest patched version to safeguard against potential threats.
The development comes as Sucuri has warned of multiple campaigns that are leveraging compromised WordPress sites to inject malicious code responsible for redirecting site visitors to other sites via bogus ads, skimming login credentials, as well as drop malware that captures admin passwords, redirects to VexTrio Viper scam sites, and execute arbitrary PHP code on the server.
Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.
Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.
Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!
Support Techcratic
If you find value in Techcratic’s insights and articles, consider supporting us with Bitcoin. Your support helps me, as a solo operator, continue delivering high-quality content while managing all the technical aspects, from server maintenance to blog writing, future updates, and improvements. Support Innovation! Thank you.
Bitcoin Address:
bc1qlszw7elx2qahjwvaryh0tkgg8y68enw30gpvge
Please verify this address before sending funds.
Bitcoin QR Code
Simply scan the QR code below to support Techcratic.
Please read the Privacy and Security Disclaimer on how Techcratic handles your support.
Disclaimer: As an Amazon Associate, Techcratic may earn from qualifying purchases.