200,000 WordPress Sites Affected by Unauthenticated Critical Vulnerabilities in Anti-Spam by CleanTalk WordPress Plugin


🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program! Through December 9th, 2024:

  • All in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL researchers
  • All plugins and themes with 50-999 active installs hosted in the WordPress.org repository and updated within the last 2 years are in-scope for all researchers!
  • Minimum bounty of $5 for all valid in-scope submissions.
  • All researchers earn automatic bonuses of between 5% to 180% for valid submissions
  • Pending report limits are increased for all
  • It’s possible to earn up to $31,200 for high impact vulnerabilities!

On October 30th, 2024, we received a submission for an Authorization Bypass via Reverse DNS Spoofing vulnerability in Anti-Spam by CleanTalk, a WordPress plugin with more than 200,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to install and activate arbitrary plugins on a vulnerable site, which can be leveraged to achieve remote code execution. A few days later on November 4th, our Threat Intelligence Team discovered another vulnerability in the same functionality that could be leveraged to perform the same actions.

Props to mikemyers who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $4,095.00 for this discovery. Our mission is to Secure the Web, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure, which ultimately makes the entire web more secure.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting the first vulnerability, Authorization Bypass via Reverse DNS Spoofing, on October 30, 2024. Sites using the free version of Wordfence will receive the same protection 30 days later on November 29, 2024.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting the second vulnerability, Authorization Bypass due to Missing Empty Value Check, on November 4, 2024. Sites using the free version of Wordfence will receive the same protection 30 days later on December 4, 2024.

We contacted the CleanTalk team on October 30, 2024, and received a response on the same day. After providing full disclosure details, the developer released the first patch on November 1, 2024, and the second patch on November 14, 2024. We would like to commend the CleanTalk team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of Anti-Spam by CleanTalk, version 6.45 at the time of this writing, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

Description: Spam protection, Anti-Spam, FireWall by CleanTalk <= 6.43.2 – Authorization Bypass via Reverse DNS Spoofing to Unauthenticated Arbitrary Plugin Installation
Affected Plugin: Spam protection, Anti-Spam, FireWall by CleanTalk
Plugin Slug: cleantalk-spam-protect
Affected Versions: <= 6.43.2
CVE ID: CVE-2024-10542
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: mikemyers
Fully Patched Version: 6.44
Bounty Award: $4,095.00

The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function in all versions up to, and including, 6.43.2. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.

Description: Spam protection, Anti-Spam, FireWall by CleanTalk <= 6.44 – Authorization Bypass due to Missing Empty Value Check to Unauthenticated Arbitrary Plugin Installation
Affected Plugin: Spam protection, Anti-Spam, FireWall by CleanTalk
Plugin Slug: cleantalk-spam-protect
Affected Versions: <= 6.44
CVE ID: CVE-2024-10781
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: István Márton
Fully Patched Version: 6.45

The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to a missing empty value check on the ‘api_key’ value in the ‘perform’ function in all versions up to, and including, 6.44. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.

Technical Analysis #1: Authorization Bypass via Reverse DNS Spoofing

Examining the code reveals that the plugin uses the perform() function in the RemoteCalls class to handle the remote calls and perform various actions such as installing a plugin.

The function contains the following code snippet:

// Check Access key
if (
    ($token === strtolower(md5($apbct->api_key)) ||
     $token === strtolower(hash('sha256', $apbct->api_key))) ||
    self::checkWithoutToken()
) {
    // Flag to let plugin know that Remote Call is running.
    $apbct->rc_running = true;

    $action = 'action__' . $action;

    if ( method_exists(__CLASS__, $action) ) {

This compares the token with the stored API key, or checks via the checkWithoutToken() function to see whether the action can be performed without a token.

public static function checkWithoutToken()
{
    global $apbct;

    $is_noc_request = ! $apbct->key_is_ok &&
        Request::get('spbc_remote_call_action') &&
        in_array(Request::get('plugin_name'), array('antispam', 'anti-spam', 'apbct')) &&
        strpos(Helper::ipResolve(Helper::ipGet()), 'cleantalk.org') !== false;

This function checks, among other things, whether the originating IP belongs to cleantalk.org. The IP address is determined based on the X-Client-Ip and X-Forwarded-By header parameters, which are user-defined parameters making this function vulnerable to IP address spoofing.

After the IP is resolved, the domain name is checked using the strpos() function. This function will only check for the existence of the string in the domain. This means that the function is vulnerable to DNS spoofing, because a domain with the ‘cleantalk.org’ string included in the subdomain will be enough to pass the check. An attacker can easily add this to a domain name like ‘cleantalk.org.evilsite.com’.

Ultimately, this means that the attacker is able to specify an IP address in the request that will return a matching domain name, a subdomain with the ‘cleantalk.org’ string, to the gethostbyaddr() function and bypass the intended authorization. The attacker can then perform any of the actions behind this intended authorization check, such as plugin installation, activation, deactivation or uninstallation.

Technical Analysis #2: Authorization Bypass due to Missing Empty Value Check

During the patch review, the Wordfence Threat Intelligence team noticed that there is another way to authorize the token, namely the hash comparison with the API key.

$token  = strtolower(Request::get('spbc_remote_call_token'));
// Check Access key
if (
    ($token === strtolower(md5($apbct->api_key)) ||
     $token === strtolower(hash('sha256', $apbct->api_key))) ||
    (self::checkWithoutToken() && self::isAllowedWithoutToken($action))
) {

Unfortunately, the function does not include any checks to prevent authorization when the API key is empty. This means that if the API key is not configured in the plugin, the attackers can authorize themselves using a token matching the empty hash value and perform the actions described in the previously mentioned vulnerability.

We would like to emphasize once again that this second vulnerability only critically affects site owners who have not configured the API key in the plugin. However, the impact will be the same as the previously highlighted vulnerability.

Disclosure Timeline

October 30, 2024 – We received the submission for the Authorization Bypass via Reverse DNS Spoofing vulnerability in Anti-Spam by CleanTalk via the Wordfence Bug Bounty Program.
October 30, 2024 – We validated the report and confirmed the proof-of-concept exploit.
October 30, 2024Wordfence Premium, Care, and Response users received a firewall rule to provide protection against any exploits that may target the Authorization Bypass via Reverse DNS Spoofing vulnerability.
October 30, 2024 – We initiated contact via the vendor contact form, asking that they confirm the inbox for handling the discussion.
October 30, 2024 – The vendor confirmed the inbox for handling the discussion.
October 30, 2024 – We sent over the full disclosure details to the vendor. The vendor acknowledged the report and began working on a fix.
November 1, 2024 – The partially patched version of the plugin, 6.44, was released.
November 4, 2024 – The Wordfence Threat Intelligence team identified an Authorization Bypass due to Missing Empty Value Check vulnerability during the patch review.
November 4, 2024Wordfence Premium, Care, and Response users received a firewall rule to provide protection against any exploits that may target the Authorization Bypass due to Missing Empty Value Check vulnerability.
November 4, 2024 – We sent over the full disclosure details to the vendor.
November 14, 2024 – The fully patched version of the plugin, 6.45, was released.
November 29, 2024 – Wordfence Free users receive the same protection against the Authorization Bypass via Reverse DNS Spoofing vulnerability.
December 4, 2024 – Wordfence Free users receive the same protection against the Authorization Bypass due to Missing Empty Value Check vulnerability.

Conclusion

In this blog post, we detailed an Authorization Bypass via Reverse DNS Spoofing vulnerability within the Anti-Spam by CleanTalk plugin affecting versions 6.43.2 and earlier, and we also detailed an Authorization Bypass due to Missing Empty Value Check vulnerability within the plugin affecting versions 6.44 and earlier. These vulnerabilities allow unauthenticated threat actors to install and activate arbitrary plugins. Both vulnerabilities have been addressed in version 6.45 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of Anti-Spam by CleanTalk as soon as possible considering the critical nature of these vulnerabilities.

Wordfence users running Wordfence Premium, Wordfence Care, and Wordfence Response have been protected against the Authorization Bypass via Reverse DNS Spoofing vulnerability as of October 30, 2024. Users using the free version of Wordfence will receive the same protection 30 days later on November 29, 2024.

Wordfence users running Wordfence Premium, Wordfence Care, and Wordfence Response have been protected against the Authorization Bypass due to Missing Empty Value Check vulnerability as of November 4, 2024. Users using the free version of Wordfence will receive the same protection 30 days later on December 4, 2024.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as these vulnerabilities pose a significant risk.

Did you enjoy this post? Share it!

Comments

No Comments