CVE-2024-10570: 
WordPress vulnerability analysis and mitigation

The Security & Malware scan by CleanTalk plugin for WordPress contains a critical vulnerability (CVE-2024-10570) that was discovered and disclosed on November 26, 2024. The vulnerability affects all versions up to and including 2.145. This security flaw combines an authorization bypass vulnerability through reverse DNS spoofing in the checkWithoutToken function with insufficient input sanitization and validation issues (NVD NIST).

The vulnerability is classified as an SQL Injection (CWE-89) with a CVSS v3.1 Base Score of 7.5 (HIGH). The attack vector is characterized as Network (N) with Low attack complexity (L), requiring No privileges (N) and No user interaction (UI). The scope is Unchanged (U) with High confidentiality impact (H), but No impact on integrity (N) or availability (N), as reflected in the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD NIST).

The vulnerability allows unauthenticated attackers to append additional SQL queries to existing queries, potentially leading to the extraction of sensitive information from the database. This poses a significant risk to data confidentiality as attackers can access protected information without authentication (NVD NIST).

Users of the Security & Malware scan by CleanTalk plugin should immediately update their installations to a version newer than 2.145 once available. In the meantime, website administrators should consider implementing additional security measures or temporarily disabling the plugin if possible (NVD NIST).