CVE-2024-10781

Spam protection, Anti-Spam, FireWall by CleanTalk <= 6.44 - Authorization Bypass due to Missing Empty Value Check to Unauthenticated Arbitrary Plugin Installation

Severity Score

8.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an missing empty value check on the 'api_key' value in the 'perform' function in all versions up to, and including, 6.44. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.

El complemento Spam protection, Anti-Spam, FireWall by CleanTalk para WordPress es vulnerable a la instalación arbitraria de complementos debido a la falta de una comprobación de valor vacío en el valor 'api_key' en la función 'perform' en todas las versiones hasta la 6.44 incluida. Esto permite que atacantes no autenticados instalen y activen complementos arbitrarios que pueden aprovecharse para lograr la ejecución remota de código si se instala y activa otro complemento vulnerable.

*Credits: István Márton

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-11-04 CVE Reserved
2024-11-25 CVE Published
2024-11-26 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-703: Improper Check or Handling of Exceptional Conditions

CAPEC

References (4)

URL	Tag	Source
https://plugins.trac.wordpress.org/browser/cleantalk-spam-protect/tags/6.44/lib/Cleantalk/ApbctWP/RemoteCalls.php#L95
https://plugins.trac.wordpress.org/browser/cleantalk-spam-protect/tags/6.44/lib/Cleantalk/ApbctWP/RemoteCalls.php#L96
https://plugins.trac.wordpress.org/changeset/3188546/cleantalk-spam-protect#file653
https://www.wordfence.com/threat-intel/vulnerabilities/id/79ae062c-b084-4045-9407-2d94919993af?source=cve

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cleantalk Search vendor "Cleantalk"		Spam Protection, Anti-Spam, FireWall Search vendor "Cleantalk" for product "Spam Protection, Anti-Spam, FireWall"				<= 6.44 Search vendor "Cleantalk" for product "Spam Protection, Anti-Spam, FireWall" and version " <= 6.44"		en		Affected