CVE-2024-10781: 
WordPress vulnerability analysis and mitigation

The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress contains a critical vulnerability (CVE-2024-10781) affecting versions up to and including 6.44. This vulnerability allows unauthenticated attackers to perform unauthorized arbitrary plugin installations due to a missing empty value check on the 'api_key' value in the 'perform' function. The plugin, which has over 200,000 active installations, received a CVSS score of 9.8, indicating critical severity (SecurityWeek, HackerNews).

The vulnerability stems from an authorization bypass issue where the plugin fails to properly validate empty API key values. When a website has not configured the API key in the plugin, an attacker can authorize themselves using a token matching the empty hash value. This security flaw allows unauthenticated attackers to perform privileged actions such as plugin installation, activation, deactivation, or uninstallation. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (SecurityOnline).

The successful exploitation of this vulnerability could allow attackers to install and activate arbitrary plugins, which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. This poses a significant risk to website security and integrity, potentially enabling complete site compromise (SecurityWeek).

The vulnerability has been patched in version 6.45 of the Spam protection, Anti-Spam, FireWall by CleanTalk plugin. Website administrators are strongly advised to update to this version immediately to protect against potential attacks (HackerNews).