Skip to main content

A critical vulnerability has been discovered in the CleanTalk Anti-Spam plugin for WordPress, which is widely used to protect websites from spam attacks. This flaw, affecting over 200,000 installations, has been given a severity rating of 9.8 out of 10, emphasizing its grave potential for exploitation.

What’s the Issue?
The vulnerability lies in an authentication bypass, allowing attackers to access websites without needing login credentials. Essentially, this flaw enables bad actors to install and activate unauthorized plugins—including malicious ones—granting them full control of affected websites.

How Does It Work?
The root of the issue is reverse DNS spoofing, a technique where an attacker manipulates the DNS system to make it appear as though their malicious request originates from the website itself. Because the CleanTalk plugin lacks proper checks to verify the authenticity of these requests, attackers can bypass authorization and gain full access to the site’s functionality.

This type of vulnerability falls under the category of Missing Authorization, as defined by the Common Weakness Enumeration (CWE):

“The product does not perform an authorization check when an actor attempts to access a resource or perform an action.”

In this case, the flaw resides in the plugin’s `checkWithoutToken` function, which makes it possible for unauthenticated attackers to install arbitrary plugins. If one of these installed plugins contains additional vulnerabilities, the attackers can use it to execute malicious code remotely.

What Should You Do?

Action Required:
If you’re using the CleanTalk Anti-Spam plugin, it’s critical to update it immediately to version 6.44 or higher. This update patches the vulnerability and ensures your site remains secure.

Steps to Protect Your Website:
1. Update the Plugin: Go to your WordPress dashboard, navigate to “Plugins,” and check for updates. Ensure you’re running version 6.44 or above.
2. Run a Security Scan: Use a trusted WordPress security tool to scan your website for any unauthorized plugins or potential malware.
3. Strengthen Your Security: Consider implementing additional layers of protection, such as a firewall or multi-factor authentication, to minimize risks.

Why This Matters
WordPress powers over 40% of websites globally, making it a prime target for attackers. A single vulnerability in a widely used plugin like CleanTalk can potentially compromise thousands of sites, exposing sensitive data and causing significant downtime.

By staying vigilant and keeping your plugins updated, you can protect your website and ensure it remains safe for you and your users.

Stay secure. Stay updated.

A Serious Security Flaw in WordPress Anti-Spam Plugin Threatens 200,000+ Websites

Aaron Fernandes

Aaron Fernandes is a web developer, designer, and WordPress expert with over 11 years of experience.