Security researchers have uncovered two severe vulnerabilities in the popular Anti-Spam by CleanTalk WordPress plugin, potentially affecting over 200,000 active website installations.
The first flaw, discovered on October 30th, 2024, involves an Authorization Bypass through Reverse DNS Spoofing. This security gap allows unauthorized attackers to install and activate arbitrary plugins, potentially leading to remote code execution on vulnerable sites.
A second related vulnerability emerged on November 4th when the Wordfence Threat Intelligence Team identified another weakness in the same functionality. Security researcher mikemyers responsibly reported this finding through the Wordfence Bug Bounty Program, earning a $4,095 reward.
The CleanTalk development team responded swiftly to the security alerts. They released an initial patch on November 1st, followed by a second update on November 14th, 2024. The latest secure version of the plugin is 6.45.
Wordfence has implemented protective firewall rules for their premium users. Free version users will receive these security updates after a 30-day delay, with protection against the first vulnerability arriving on November 29th and the second on December 4th, 2024.
Website administrators running the Anti-Spam by CleanTalk plugin should immediately update to version 6.45 to protect their sites from potential attacks. These vulnerabilities pose serious risks, as they could allow malicious actors to gain unauthorized control over affected WordPress installations.
This incident highlights the ongoing importance of prompt security updates and vigilant monitoring of WordPress plugins, particularly those with large user bases that present attractive targets for potential attackers.