A critical vulnerability in the CleanTalk Anti-Spam WordPress plugin allows unauthenticated attackers to bypass authorization and install arbitrary plugins, potentially leading to full site takeover via remote code execution.

This vulnerability involves an authorization bypass in the checkWithoutToken function. By spoofing reverse DNS (PTR) records, an unauthenticated attacker can trick the plugin into allowing unauthorized arbitrary plugin installation and activation, particularly on sites with invalid API keys.

A successful exploit could lead to complete compromise of the WordPress environment. By installing and activating additional vulnerable plugins, attackers can achieve remote code execution (RCE), resulting in data theft, site defacement, and total loss of administrative control. The CVSS score of 9.8 reflects the critical nature of this unauthenticated entry point and the potential for total system impact.

Immediate Action: Update the CleanTalk Anti-Spam plugin to the latest available version (6.72 or higher) immediately to patch the vulnerable function.

Proactive Monitoring: Review WordPress audit logs for any unauthorized plugin installations or activations and verify the validity of your CleanTalk API keys.

Compensating Controls: Implement a Web Application Firewall (WAF) to filter suspicious traffic and restrict unauthorized administrative actions at the network edge.

Public Exploit Available: false

This vulnerability represents a severe risk to WordPress integrity. Organizations must prioritize the update of the CleanTalk plugin to the latest version immediately. Failure to remediate this flaw could allow an external actor to gain full administrative access and execute malicious code without any prior credentials.