Nearly 50% of over 200,000 WordPress sites with the Spam protection, Anti-Spam, FireWall by CleanTalk plugin were discovered to remain impacted by a pair of critical authorization bypass vulnerabilities, tracked as CVE-2024-10542 and CVE-2024-10781, which could be leveraged to facilitate arbitrary plugin activation and remote code execution attacks, SecurityWeek reports.
More severe of the two is CVE-2024-10542, which evades authorization for the plugin's remote call and plugin installation function, according to a report from Defiant. "The attacker can then perform any of the actions behind this intended authorization check, such as plugin installation, activation, deactivation or uninstallation," said Defiant. While such an issue has been addressed by CleanTalk earlier this month, the released fix was found to be affected by CVE-2024-10781, which enables attacker authorization through a token with the same empty hash value, Defiant added. Organizations with WordPress sites using the CleanTalk plugin have been urged to immediately apply the version 6.45 update.
