Critical Vulnerability in WordPress Anti-Spam Plugin Allows Remote Exploitation

425/67 Thursday, November 28, 2024

Two critical vulnerabilities, identified as CVE-2024-10542 and CVE-2024-10781, have been discovered in the Spam Protection, Anti-Spam, and Firewall components of WordPress. These vulnerabilities could allow unauthenticated attackers to install and activate malicious plugins on vulnerable websites, potentially leading to remote code execution. Both vulnerabilities have a CVSS severity score of 9.8 and were addressed in versions 6.44 and 6.45, released earlier this month.

The CleanTalk plugin, installed on over 200,000 WordPress websites, is designed to block spam from comments and various forms. However, attackers exploiting these vulnerabilities could install plugins that lead to remote attacks, particularly if the plugins themselves have unresolved security issues. To mitigate these risks, it is crucial to update plugins and WordPress systems regularly.

Additionally, Sucuri has warned about ongoing attack campaigns targeting compromised WordPress sites. These campaigns aim to redirect users to phishing sites, steal data, install malware, or execute PHP code on servers, significantly increasing system vulnerability. Administrators are advised to enhance security measures and perform regular system checks to reduce the risk of exploitation.

Source https://thehackernews.com/2024/11/critical-wordpress-anti-spam-plugin.html