CVE-2024-10781 Overview
CVE-2024-10781 affects the Spam protection, Anti-Spam, FireWall plugin by CleanTalk for WordPress. The vulnerability exists in all versions up to and including 6.44. The perform function in the plugin's RemoteCalls.php file fails to validate that the api_key parameter is non-empty before processing remote calls. Unauthenticated attackers can exploit this flaw to install and activate arbitrary plugins on a vulnerable WordPress site. When chained with another vulnerable plugin, this issue can lead to remote code execution on the host.
Critical Impact
Unauthenticated attackers can install and activate arbitrary plugins on affected WordPress sites, enabling remote code execution when combined with another vulnerable plugin.
Affected Products
- CleanTalk Spam protection, Anti-Spam, FireWall plugin for WordPress
- All versions up to and including 6.44
- WordPress installations using the cleantalk-spam-protect plugin
Discovery Timeline
- 2024-11-26 - CVE-2024-10781 published to the National Vulnerability Database
- 2025-07-12 - Last updated in NVD database
Technical Details for CVE-2024-10781
Vulnerability Analysis
The flaw resides in the perform function within lib/Cleantalk/ApbctWP/RemoteCalls.php. The function processes remote calls authenticated by the plugin's api_key value. The code compares the received token against the stored api_key without first confirming that the stored value is non-empty. When a site has not yet configured an api_key, the stored value is an empty string. An attacker can therefore submit a request with an empty token and pass the equality check.
This improper exception handling pattern aligns with [CWE-703]. The plugin grants authorization based on a weak conditional comparison rather than verifying that a valid credential exists. Once authorized, the perform handler dispatches to administrative routines including plugin installation and activation. The EPSS score for this issue is 2.512% at the 85.687 percentile, reflecting elevated exploitation interest.
Root Cause
The root cause is a missing empty value check on the api_key parameter. The authentication routine treats an unset or blank stored key as a valid comparison target. Any request supplying an empty api_key succeeds against a site that has not activated the plugin with a CleanTalk account.
Attack Vector
The attack is performed over the network with no authentication or user interaction required. An attacker sends a crafted HTTP request to the WordPress site invoking the plugin's remote call handler with an empty api_key. The handler then accepts an action parameter directing it to install and activate a plugin of the attacker's choosing from the WordPress plugin repository. If the attacker selects a known-vulnerable plugin, remote code execution follows from exploiting that secondary plugin.
No verified public proof-of-concept code is published. See the Wordfence Vulnerability Report and the WordPress Plugin Code Reference for the affected code locations.
Detection Methods for CVE-2024-10781
Indicators of Compromise
- Unexpected plugin directories under wp-content/plugins/ that were not installed by an administrator
- Entries in active_plugins within the wp_options table referencing plugins not deployed by site owners
- HTTP POST requests to the site root or admin endpoints containing the parameter pattern spbc_remote_call_token= with an empty value alongside spbc_remote_call_action=install_plugin
- Outbound requests from the WordPress host to downloads.wordpress.org initiated by the web server user without a corresponding admin session
Detection Strategies
- Inspect access logs for requests containing spbc_remote_call_token parameters paired with plugin install or activate actions originating from unauthenticated sessions
- Compare the on-disk plugin inventory against an approved baseline and alert on additions
- Monitor file system creation events under wp-content/plugins/ outside of administrator-initiated update windows
Monitoring Recommendations
- Forward WordPress audit logs and web server access logs to a centralized analytics platform for correlation
- Alert on any wp_options modification touching active_plugins outside change-management windows
- Track the running version of the CleanTalk plugin across the estate and flag any host still on version 6.44 or earlier
How to Mitigate CVE-2024-10781
Immediate Actions Required
- Update the Spam protection, Anti-Spam, FireWall by CleanTalk plugin to a version newer than 6.44
- Audit the wp-content/plugins/ directory and the active_plugins option for unauthorized entries and remove any that are unrecognized
- Rotate WordPress administrator credentials and review user accounts on sites that ran a vulnerable version
- Ensure every installed plugin has its CleanTalk api_key configured rather than left blank
Patch Information
CleanTalk addressed the flaw by adding an empty-value check on the api_key value in the perform function. The fix is recorded in the WordPress Change Log Entry on the official WordPress plugin repository. Site operators must upgrade to the patched release through the WordPress plugin updater.
Workarounds
- Restrict access to the WordPress site at the web server or WAF layer, blocking requests that include spbc_remote_call_token with empty values
- Deactivate the CleanTalk plugin until the patched version can be installed if immediate updating is not possible
- Apply WAF rules that deny unauthenticated requests carrying spbc_remote_call_action=install_plugin parameters
# Example: block requests with empty CleanTalk remote-call tokens (nginx)
if ($arg_spbc_remote_call_token = "") {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
