CVE-2024-10542 - How A CleanTalk Plugin Bug Lets Attackers Install ANY Plugin on Your WordPress Site

Intro:
Recently, a serious vulnerability was found in the popular “Spam protection, Anti-Spam, FireWall by CleanTalk” WordPress plugin. Known as CVE-2024-10542, this bug lets hackers bypass authorization and install any plugin they want—even if they’re not logged into your site. If you’re using this plugin (any version up to and including 6.43.2), your website could be at serious risk!

This post breaks down how CVE-2024-10542 works in plain English. You’ll see code snippets, get reference links, and learn why updating NOW is non-negotiable.

What Is CleanTalk?

CleanTalk is a widely-used anti-spam and firewall plugin for WordPress, with over 100,000 active installations. It claims to stop spam in comments, orders, and even signups. It’s trusted by many site owners who want an easy plug-and-play security solution.

The Vulnerability: Authorization Bypass via Reverse DNS

At the heart of CVE-2024-10542 is a function called checkWithoutToken. This function is supposed to make sure that only authorized servers can perform certain sensitive tasks—like installing or activating plugins. It tries to verify users based on their DNS details.

The Flaw

Instead of using tokens or strong authentication, the plugin checks the user's reverse DNS record to see if it matches a specific domain (like cleantalk.org). But, reverse DNS lookups can be SPOOFED by attackers—meaning a hacker can fake a trusted domain, easily bypassing this “protection.”

Let’s look at the risky part (simplified for readability)

public function checkWithoutToken() {
    $user_ip = $_SERVER['REMOTE_ADDR'];
    $host = gethostbyaddr($user_ip);
    // Allow if hostname ends with "cleantalk.org"
    if (substr($host, -strlen('cleantalk.org')) === 'cleantalk.org') {
        // Allowed without token!
        return true;
    }
    return false;
}

What’s wrong?
If an attacker points their IP’s reverse DNS record to something like attacker.cleantalk.org, they PASS the check, even though they have nothing to do with CleanTalk.

Step 1: Prepare a Malicious IP

The attacker sets a reverse DNS pointer (PTR record) for their IP address so that a lookup returns anything.cleantalk.org.

Step 2: Send a Plugin Install Request

Next, the attacker makes a crafted HTTP request to a CleanTalk admin function exposed by the plugin (like admin.php?page=cleantalk_plugin_install), coming from their spoofed IP.

Step 3: CleanTalk Trusts the Attacker

The checkWithoutToken function sees the attacker’s IP, checks the hostname, finds “cleantalk.org” in it, and *grants* access—no password or token required!

Step 4: Install or Activate Any Plugin

The attacker can now tell WordPress to download, install, and activate any plugin, including those that let them run code, create users, or seize your site.

Step 5 (Optional): Escalate to Remote Code Execution

If the attacker installs (or your site already has) another vulnerable plugin, they can exploit it further and run any code they want (“remote code execution”).

Here’s a basic workflow for the exploit (example in pseudo-curl)

# 1. Attacker's IP reverse DNS is set to attacker.cleantalk.org

# 2. Make an install request from that IP (simulated here via curl with --interface)

curl --interface <attacker-ip> \
  -X POST \
  -d 'plugin=evil-plugin.zip' \
  https://victim.example.com/wp-admin/admin.php?page=cleantalk_plugin_install

The server will accept and install the plugin—no login needed!

*In the real world, the attacker may need to get their request routed through a server with the malicious PTR record, but this is possible with cheap VPS hosting providers.*

Mitigation

If you use this plugin, UPGRADE IMMEDIATELY!

CleanTalk fixed the vulnerability in version 6.43.3.

- Download here: https://wordpress.org/plugins/cleantalk-spam-protect/

References and Further Reading

- Official CVE page: CVE-2024-10542 in NIST NVD
- Advisory by Patchstack: https://patchstack.com/database/vulnerability/cleantalk-spam-protect/wordpress-spam-protection-anti-spam-firewall-by-cleantalk-plugin-6-43-2-unauthorized-arbitrary-plugin-installation-via-reverse-dns-spoofing/
- CleanTalk plugin page: https://wordpress.org/plugins/cleantalk-spam-protect/

Takeaway

Even security plugins can have dangerous bugs. Never rely on a single tool for complete WordPress security. Always update your plugins, audit your site, and use least privilege—not fancy tricks like reverse DNS for authorization!

If you want your WordPress site safe, patch early and patch often!
Stay vigilant and keep learning.


Share this post with anyone running CleanTalk or WordPress security plugins.
Questions or worries? Drop them in the comments!

Timeline

Published on: 11/26/2024 06:15:07 UTC