The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS (PTR record) spoofing on the 'checkWithoutToken' function in all versions up to, and including, 6.71. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. Note: This is only exploitable on sites with an invalid API key.
The 'checkWithoutToken' function implements an authorization mechanism based on verification of the PTR record (reverse DNS) of the calling IP address. An attacker can spoof the PTR record of their IP address so that authentication passes successfully, which is a classic case of CWE-350 — reliance on user-provided input that can be spoofed. Successful authorization bypass allows the plugin installation function to be called without a valid API token. The vulnerability can only be exploited on WordPress sites that have an incorrect (invalid) CleanTalk API key.
An unauthenticated attacker can install and activate any WordPress plugin, which combined with installing a vulnerable plugin can lead to complete server takeover via RCE. The confidentiality, integrity, and availability of the system are at risk.
The plugin should be updated to a version higher than 6.71 according to the changeset available in the WordPress repository (changeset 3454488). Additionally, it is recommended to verify the correctness of the CleanTalk API key and review installed plugins for unauthorized installations.
'Spam protection, Anti-Spam, FireWall by CleanTalk' plugin for WordPress — all versions up to and including 6.71, only on sites with an incorrect CleanTalk API key.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H