MalCare Shields Over 200,000 Sites Against Critical Vulnerabilities in Anti-Spam By CleanTalk Plugin

On October 30th, 2024, and November 4th, 2024, two major security issues were discovered in the Anti-Spam by CleanTalk plugin, affecting all versions up to v6.44. These vulnerabilities could let hackers install and activate arbitrary plugins without permission. 

If another vulnerable plugin is present, hackers could exploit it to run harmful code on your site, potentially gaining control of your WordPress site.

If you’re currently using this plugin, we advise scanning your site to detect any potential issues. 

What are the vulnerabilities?

If your site is one of the 200,000+ sites using the Anti-Spam by CleanTalk plugin, you need to know that versions up and including v6.44 have two critical security issues: Authorization bypass via reverse DNS spoofing and a missing empty value check.

What makes these vulnerabilities so severe is their simplicity to exploit. Without needing to log in, attackers can install and activate plugins. With another vulnerable plugin present, they can run harmful code and take unauthorized control of your site, leading to major security risks.

Should you be worried?

Yes. The vulnerabilities in the Anti-Spam by CleanTalk plugin are serious, with CVSS scores of 9.8 and 8.1, indicating critical threats.  

Hence, you must update the plugin to the latest version immediately to protect your site from severe risks.

What should you do next?

To keep your site secure, it’s crucial to act immediately. Here’s what you should do:

What if your site is already compromised?

If there’s a concern that your site might have been compromised through these vulnerabilities here’s what you should do:

Technical details of the vulnerabilities

Issue

The Anti-Spam by CleanTalk plugin contains serious vulnerabilities that allow hackers to bypass authorization and perform unauthorized actions. These flaws let attackers install or activate plugins without your permission. Additionally, if there’s another vulnerable plugin on your site, it could lead to harmful actions being executed.

Root cause

Authorization bypass via reverse DNS spoofing  

The plugin uses a part of its code named perform() to manage tasks like installing plugins. To ensure these actions are authorized, it checks a token against a stored key. Alternatively, it can also use another check called checkWithoutToken(). 

This check looks at where the request is coming from by examining the IP address to verify it belongs to cleantalk.org. However, the system can be fooled. It relies on user-supplied information, which means an attacker can fake the domain name. 

If they include “cleantalk.org” somewhere in their domain, like “cleantalk.org.hackersite.com,” they can slip past the verification process. This allows them to perform unauthorized actions on the site, such as installing, activating, or removing plugins.

Authorization bypass via missing empty value check  

Another issue is how the plugin handles API keys, which function like passwords. When the plugin verifies if someone can perform certain actions, it compares the API key’s hash to a token. 

If the API key is left empty, the plugin doesn’t catch this, allowing attackers to use a token that matches this “empty” hash. This oversight can let unauthorized users gain access to restricted features, particularly affecting site owners who haven’t configured their API keys properly.

Timeline

How MalCare protects your site

If you’re a MalCare user, your site is safe from the vulnerabilities in the Anti-Spam by CleanTalk plugin. MalCare’s advanced Atomic Security firewall automatically protects your site. Here’s how:

We have already blocked approximately 572 attacks targeting the missing empty value check vulnerability and over 5,000 attacks against the reverse DNS spoofing vulnerability.

How to keep your site secure

Keeping your website secure is a continuous effort that involves good practices and security tools. Here are some general practices to make sure your site stays protected from threats:

1. Use a trusted security plugin like MalCare to monitor your site for threats and provide automatic updates. These plugins offer instant protection and help catch vulnerabilities early.
2. Regularly update your plugins, themes, and WordPress core. Developers release updates to fix security flaws, so it’s crucial to stay up-to-date.
3. Choose complex and unique passwords for admin accounts, databases, and other sensitive areas on your site. A password manager can help create and store these safely. Encourage users to set strong passwords and remind them to change them regularly.
4. Enable two-factor authentication (2FA) for an extra layer of security during login, adding an additional step for verification.
5. Opt for a reliable hosting provider that emphasizes security. Quality hosts provide features like firewalls, malware scanning, and regular backups.
6. Consistently backup your website so that you can quickly restore it if a security incident occurs. Automated backup solutions simplify this task.
7. Perform regular audits on users and check permissions to ensure no one has more access than necessary. Restrict admin rights to individuals who truly need them.