WordPress Anti-Spam Plugin Vulnerability Exposes 200,000 Sites to RCE Attacks (searchenginejournal.com) 10
"A flaw in a WordPress anti-spam plugin with over 200,000 installations allows rogue plugins to be installed on affected websites," reports Search Engine Journal.
The authentication bypass vulnerability lets attackers gain full access to websites without a username or password, according to the article, and "Security researchers rated the vulnerability 9.8 out of 10, reflecting the high level of severity..." The flaw in the Spam protection, Anti-Spam, FireWall by CleanTalk plugin, was pinpointed by security researchers at Wordfence as caused by reverse DNS spoofing... [T]he attackers can trick the Ant-Spam plugin that the malicious request is coming from the website itself and because that plugin doesn't have a check for that the attackers gain unauthorized access... Wordfence recommends users of the affected plugin to update to version 6.44 or higher.
Thanks to Slashdot reader bleedingobvious for sharing the news.
The authentication bypass vulnerability lets attackers gain full access to websites without a username or password, according to the article, and "Security researchers rated the vulnerability 9.8 out of 10, reflecting the high level of severity..." The flaw in the Spam protection, Anti-Spam, FireWall by CleanTalk plugin, was pinpointed by security researchers at Wordfence as caused by reverse DNS spoofing... [T]he attackers can trick the Ant-Spam plugin that the malicious request is coming from the website itself and because that plugin doesn't have a check for that the attackers gain unauthorized access... Wordfence recommends users of the affected plugin to update to version 6.44 or higher.
Thanks to Slashdot reader bleedingobvious for sharing the news.
Re: (Score:2)
that's not WordPress but a third party plugin.
Still less than 0.5% of WordPress. (Score:5, Interesting)
What people tend to overlook is the sheer size of the WordPress installbase. WordPress makes up roughly a third of the dynamic Web. Like, the _entire_ Web. That's roughly 50 Million active installations. WordPress dwarfs everything else by orders of magnitude. For that its security track-record is actually quite impressive. Any flawed plugin with less than 20000 installs isn't even worth mentioning in this context. This one is though and as usual, the plug-in devs did one shitty job.
If you're looking for WordPress anti-spam, just stick with Akismet. It has been an official automatic product for quite some time now and it's even installed by default.
Re:Still less than 0.5% of WordPress. (Score:5, Informative)
I host a few wordpress sites for some customers who wanted it. Not that I would recommend it but I am not going to play evangelist with the customers although I tell them.
Here is what I recommend at least for hosting wordpress sites:
1) Always have a mod_security or equivalent (like F5) fine tuned for wordpress for that site reverse-proxy in front of the wordpress host.
2) Always install in a sub-directory, like https://example.com/ex/ [example.com] is the base of the wordpress install and redirect to it. A lot of silly attack and vulnerability discovering bots don't even follow redirects so you mitigate quite a bit that way.
To be fair ... (Score:2)
It's an anti-spam plugin, not an anti-rce plugin. :-)
(Unfortunately, their upcoming anti-rce plugin allows spam ...)
Shock! (Score:2)
Re: (Score:1)
What's the safe alternative?