Heads Up: WordPress Anti-Spam Plugin Vulnerability
By Kevin Williams / Nov, 30
At DataPacket, we like to keep our customers informed about important security updates—and this one’s a biggie. A serious flaw has been discovered in the CleanTalk Anti-Spam plugin, a popular choice for WordPress sites. If you’re using it, you’ll want to pay attention.
Here’s the scoop: this plugin, installed on over 200,000 websites, has a vulnerability that’s been rated 9.8 out of 10 in severity. It allows attackers to bypass authentication entirely, meaning they don’t need a username or password to gain access to your site. Once in, they can upload any plugin they want—including malware.
The problem boils down to something called reverse DNS spoofing. It’s a fancy way of saying attackers can trick the plugin into thinking their malicious request is coming from your site itself. Since the plugin doesn’t verify these requests properly, the door swings wide open for unauthorized access.
Wordfence, the security outfit who discovered this, explain that the vulnerability lies in the plugin’s checkWithoutToken function. This little oversight means attackers can not only install their own plugins but also potentially execute harmful code if your site has other vulnerable plugins installed.
So, what can you do? Don’t panic, but act fast. Make sure your plugins, including CleanTalk, are up to date. It’s also a good idea to check your site’s activity logs for anything suspicious and back up your site regularly—because better safe than sorry.
We’re here to help if you have any questions or concerns. Keeping your site secure is a team effort, and at DataPacket, we’ve got your back. Stay safe out there!
Kevin holds a Senior Tech position at DataPacket, where he excels as both a web developer and graphic designer. With his expertise in technical support, he consistently goes above and beyond, surpassing the expectations of clients and colleagues alike.