WordPress Anti-Spam Plugin Vulnerability Exposes 200,000 Sites to RCE Attacks (searchenginejournal.com)
(Saturday November 30, 2024 @04:50PM (EditorDavid)
from the remote-code-executing dept.)
- Reference: 0175568943
- News link: https://it.slashdot.org/story/24/11/30/1830222/wordpress-anti-spam-plugin-vulnerability-exposes-200000-sites-to-rce-attacks
- Source link: https://www.searchenginejournal.com/wordpress-anti-spam-plugin-vulnerability-hits-200k-sites/533844/
"A flaw in a WordPress anti-spam plugin with over 200,000 installations allows rogue plugins to be installed on affected websites," [1]reports Search Engine Journal .
The authentication bypass vulnerability lets attackers gain full access to websites without a username or password, according to the article, and "Security researchers rated the vulnerability 9.8 out of 10, reflecting the high level of severity..."
> The flaw in the Spam protection, Anti-Spam, FireWall by CleanTalk plugin, was pinpointed by security researchers at Wordfence as caused by reverse DNS spoofing... [T]he attackers can trick the Ant-Spam plugin that the malicious request is coming from the website itself and because that plugin doesn't have a check for that the attackers gain unauthorized access... Wordfence recommends users of the affected plugin to update to version 6.44 or higher.
Thanks to Slashdot reader [2]bleedingobvious for sharing the news.
[1] https://www.searchenginejournal.com/wordpress-anti-spam-plugin-vulnerability-hits-200k-sites/533844/
[2] https://www.slashdot.org/~bleedingobvious
The authentication bypass vulnerability lets attackers gain full access to websites without a username or password, according to the article, and "Security researchers rated the vulnerability 9.8 out of 10, reflecting the high level of severity..."
> The flaw in the Spam protection, Anti-Spam, FireWall by CleanTalk plugin, was pinpointed by security researchers at Wordfence as caused by reverse DNS spoofing... [T]he attackers can trick the Ant-Spam plugin that the malicious request is coming from the website itself and because that plugin doesn't have a check for that the attackers gain unauthorized access... Wordfence recommends users of the affected plugin to update to version 6.44 or higher.
Thanks to Slashdot reader [2]bleedingobvious for sharing the news.
[1] https://www.searchenginejournal.com/wordpress-anti-spam-plugin-vulnerability-hits-200k-sites/533844/
[2] https://www.slashdot.org/~bleedingobvious
To be fair ... (Score:2)
by fahrbot-bot ( 874524 )
It's an anti-spam plugin, not an anti-rce plugin. :-)
(Unfortunately, their upcoming anti-rce plugin allows spam ...)
Still less than 0.5% of WordPress. (Score:3)
What people tend to overlook is the sheer size of the WordPress installbase. WordPress makes up roughly a third of the dynamic Web. Like, the _entire_ Web. That's roughly 50 Million active installations. WordPress dwarfs everything else by orders of magnitude. For that its security track-record is actually quite impressive. Any flawed plugin with less than 20000 installs isn't even worth mentioning in this context. This one is though and as usual, the plug-in devs did one shitty job.
If you're looking for WordPress anti-spam, just stick with Akismet. It has been an official automatic product for quite some time now and it's even installed by default.