CVE-2024-10781
📋 TL;DR
The CleanTalk WordPress plugin has a vulnerability that allows unauthenticated attackers to install and activate arbitrary plugins. This can lead to remote code execution if another vulnerable plugin is installed. All WordPress sites using CleanTalk Anti-Spam plugin versions up to 6.44 are affected.
💻 Affected Systems
- Spam protection, Anti-Spam, FireWall by CleanTalk WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise through remote code execution leading to data theft, malware deployment, or site defacement.
Likely Case
Attackers install malicious plugins to gain persistent access, create backdoors, or deploy cryptocurrency miners.
If Mitigated
Limited impact if proper network segmentation and least privilege principles are implemented.
🎯 Exploit Status
The vulnerability is straightforward to exploit as it requires no authentication and has simple HTTP request structure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.45
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3188546/cleantalk-spam-protect
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Spam protection, Anti-Spam, FireWall by CleanTalk'. 4. Click 'Update Now' or manually update to version 6.45+. 5. Verify the plugin is active and functioning.
🔧 Temporary Workarounds
Disable CleanTalk Plugin
allTemporarily disable the vulnerable plugin until patched.
wp plugin deactivate cleantalk-spam-protect
Restrict Remote Calls
linuxBlock access to the vulnerable endpoint via web server configuration.
# Apache: Add to .htaccess
<Files "RemoteCalls.php">
Require all denied
</Files>
# Nginx: Add to server block
location ~* RemoteCalls\.php$ {
deny all;
}
🧯 If You Can't Patch
- Remove the CleanTalk plugin completely and use alternative spam protection solutions.
- Implement web application firewall rules to block requests to the vulnerable RemoteCalls.php endpoint.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for CleanTalk version. If version is 6.44 or lower, you are vulnerable.Check Version:
wp plugin list --name=cleantalk-spam-protect --field=versionVerify Fix Applied:
After updating, verify the CleanTalk plugin shows version 6.45 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-content/plugins/cleantalk-spam-protect/lib/Cleantalk/ApbctWP/RemoteCalls.php
- Sudden installation of unknown plugins
- Multiple failed plugin installation attempts
Network Indicators:
- HTTP requests to RemoteCalls.php with api_key parameter manipulation
- Unusual outbound connections after plugin installation
SIEM Query:
source="web_server" AND (uri="*RemoteCalls.php*" OR message="*plugin installed*")🔗 References
- https://plugins.trac.wordpress.org/browser/cleantalk-spam-protect/tags/6.44/lib/Cleantalk/ApbctWP/RemoteCalls.php#L95
- https://plugins.trac.wordpress.org/browser/cleantalk-spam-protect/tags/6.44/lib/Cleantalk/ApbctWP/RemoteCalls.php#L96
- https://plugins.trac.wordpress.org/changeset/3188546/cleantalk-spam-protect#file653
- https://www.wordfence.com/threat-intel/vulnerabilities/id/79ae062c-b084-4045-9407-2d94919993af?source=cve
