{"vars":{"id": "108938:4684"}}

WordPress Anti-Spam Plugin Vulnerability Affects More Than 200,000 Sites: Malicious Attack and Installation Risk
 

This vulnerability has been rated 9.8 out of 10 in severity, indicating the serious risks it poses to website security.
By Gaurav Santosh Nov 28, 2024, 12:20 IST

A critical vulnerability in the CleanTalk Anti-Spam plugin for WordPress has left over 200,000 websites at risk, according to security researchers. The flaw, which affects versions up to 6.43.2, allows unauthenticated attackers to bypass authentication checks and install arbitrary plugins on affected sites. This vulnerability has been rated 9.8 out of 10 in severity, indicating the serious risks it poses to website security.

The flaw in the CleanTalk plugin is a reverse DNS spoofing vulnerability, that enables attackers to make the system believe malicious requests originate from trusted sources. By this, attackers get an unauthorized access to WordPress sites, ignoring the need for login credentials. This means that attackers upload and install malicious plugins intended to execute remote code, taking total control of the website.

The vulnerability was identified by Wordfence security researchers who explained that the problem was with the checkWithoutToken function of the plugin. Because the plugin does not check for proper authorization, the attackers can exploit this flaw and install malware on the website, taking control of the operations of the site. When they are in control, they use the website for phishing attacks, spamming, or even data theft.

This case clearly shows that security to WordPress sites should be highly enhanced, especially when relying on third-party plugins. Those website owners using the CleanTalk Anti-Spam plugin are advised to update it to the latest version that would close this vulnerability to avoid being exploited in the future. Regular security audits should be done and firewalls such as those offered by Wordfence to prevent this kind of threat.

The CleanTalk vulnerability is a stark reminder of the security risks third-party plugins pose, even those designed to protect websites. Website owners must be on their guard and ensure that their sites are protected against emerging threats like this one, which can have devastating consequences if left unchecked.

Also read: Centre Cracks Down on Digital Arrest Scams: Over 6.6 Lakh SIM Cards Blocked, IMEI Numbers Disabled