CleanTalk Isn’t Doing Real Security Reviews of WordPress Plugins and Their Plugin Contains Vulnerabilities
Last week we mentioned in a post that security reviews of WordPress plugins would provide a good idea of how secure they are, but those reviews are rarely done. Just prior to writing that post, we ran across a security provider claiming to being do those reviews and a lot of them. That provider being CleanTalk. In checking in to if they were really doing reviews, we found their own plugin, Anti-Spam by CleanTalk, which they just claimed to do a review of and found no issues, contains easy to spot vulnerabilities because of a lack of basic security. That would have been caught by a real review. We found the same missing check in other plugins they claimed to have reviewed.
We have previously noted on our blog multiple instances where CleanTalk either was very confused about security or just being dishonest. In February, we noted that they had greatly overstated the risk of a vulnerability, seemingly, because they lack a basic understanding of securing web apps. In May, we noted they had made up a “critical” vulnerability in a plugin with 100,000+ installs. That same month, we noted they had claimed that a vulnerability in another 100,000+ install plugin had been fixed, when it hadn’t.
The problems have persisted. In a more recent situation, they were claiming that they had found a persistent (stored) cross-site scripting (XSS) vulnerability in a plugin, but as noted, by another provider they submitted the claim to, it really involved reflected cross-site scripting (XSS). CleanTalk seemed very confused about what was going on.
Based on all that, any claim made by them should be assumed to be unreliable. So already, there would be plenty of reason to think they are not doing the reviews they claim. But what do you find when you start looking in to the claimed reviews?
Impressive Sounding Review Standard
If you go to the page for CleanTalk’s claimed review of their plugin Anti-Spam by CleanTalk, some of the information sounds impressive. They make this claim:
Proudly earned the “Plugin Security Certification” (PSC) from CleanTalk, indicating adherence to stringent security standards.
(It’s unclear why they have quote marks around the name of their certification.)
They also write this under the heading Security Assurance (all in the third-person):
Spam Protection, Anti-Spam, Firewall by CleanTalk places a strong emphasis on security, ensuring that your website remains protected against various spam threats. The plugin has undergone rigorous security testing and has successfully earned the prestigious Plugin Security Certification (PSC) from CleanTalk. This certification affirms the plugin’s compliance with stringent security standards and protocols, demonstrating CleanTalk’s commitment to maintaining the highest level of security for your website. By leveraging CleanTalk’s cloud-based architecture, the plugin performs real-time checks and filters spam efficiently, reducing server load and enhancing overall site performance.
Less Impressive Sounding Review Checks
A critical element to determine the quality of a security review of a WordPress plugins is what is actually checked for. CleanTalk provides this vague explanation of what they areas supposed be checking for:
Successfully tested for SQL Injections, XSS Attacks, CSRF Attacks, Authentication Vulnerabilities, Authentication Bypass Vulnerabilities, Privilege Escalation Vulnerabilities, Buffer Overflow Vulnerabilities, Denial-of-Service (DoS) Vulnerabilities, Data Leakage Vulnerabilities, Insecure Dependencies, Code Execution Vulnerabilities, Privilege Escalation Vulnerabilities, File Unauthorized Access Vulnerabilities, Insufficient Injection Protection, and Information Leakage Vulnerabilities.
There are so many red flags in that.
We are not even sure what some of those are supposed to mean, and it seems likely they don’t either. They claim to check for “Insufficient Injection Protection.” We did a web search on that term, and didn’t find any other mentions other than their own website. Searching for injection protection, brought up results referring to SQL injection, which is separately listed by them as being checked.
They claim to check for “Authentication Vulnerabilities” and “Authentication Bypass Vulnerabilities.” It seems like a bypass of authentication would be an authentication vulnerability.
They also claim to check for “Data Leakage Vulnerabilities” and “Information Leakage Vulnerabilities,” which seem like they would be different names for the same issue.
With another element, “Privilege Escalation Vulnerabilities”, they mention it twice.
They also claim to be checking for “Buffer Overflow Vulnerabilities,” which is not relevant WordPress plugins, since they are written in PHP, not C or another language subject to that issue. That stands out as suggesting they are not on the level at all.
Finally, they claim to check for “Denial-of-Service (DoS) Vulnerabilities,” which could be an issue in a plugin in limited circumstances, but based on everything else mentioned seems more likely to be thrown in there because it widely mentioned issue.
A Lot of Reviews
Something else that raised our suspicions is the number of reviews they were claiming to do. In the month of July, they posted claims that 11 plugins have passed reviews. That is a lot.
Insecure Code in Their Plugin and Others
They posted that certification of their own plugin after we had taken an initial look at the plugins they were claiming to have reviewed. With the first plugin, we took a quick look at, we immediately found that the plugin was lacking basic security and then, with almost no more checking, found it was exploitable. With the next plugin we checked, because it had only recently fixed a vulnerability known about for years, we found that it was also insecure in the same way.
Afer that, we started running plugins they had claimed to have done reviews through our Plugin Security Checker, to see if that identified any possible issues in the plugins. One of the plugins it identified with improper security was Anti-Spam by CleanTalk. Checking into the identified issue, we found another more serious security issue.
In the function apbct_settings__get_key_auto() in the file /inc/cleantalk-settings.php, they are using the security function filter_input() without any filter specified:
2887 2888 2889 2890 2891 2892 2893 2894 2895 2896 2897 2898 | function apbct_settings__get_key_auto($direct_call = false) { if ( ! $direct_call ) { check_ajax_referer('ct_secret_nonce'); } global $apbct; $website = parse_url(get_option('home'), PHP_URL_HOST) . parse_url(get_option('home'), PHP_URL_PATH); $platform = 'wordpress'; $user_ip = Helper::ipGet('real', false); $timezone = filter_input(INPUT_POST, 'ct_admin_timezone'); |
So it doesn’t do any filtering.
What is more concerning is that the function includes a nonce check, but not a capability check to limit access to the function. That is despite it being needed there, as the function is AJAX accessible to anyone logged in to WordPress:
363 | add_action('wp_ajax_apbct_get_key_auto', 'apbct_settings__get_key_auto'); |
Other AJAX accessible functions in the plugin are also missing the security check.
That is a really basic part of security. Any security review of a WordPress plugin should have caught that. More importantly, the developer of a security plugin shouldn’t have that sort of issue.
That missing capability check is also a problem in the two other plugins we looked that they had certified as adhering to “stringent security standards.”
Beyond that being a basic part of security that should have been checked during a security review, it seems like at least one of the following things they claim to check on should have checked for this: Authentication Vulnerabilities, Authentication Bypass Vulnerabilities, or Privilege Escalation. We would classify that as a privilege escalation vulnerability.
It gets worse.
It’s a Vulnerability
While normally a nonce check will do the equivalent of a capability check, the WordPress documentation is clear. It shouldn’t be relied on for that:
Nonces should never be relied on for authentication, authorization, or access control. Protect your functions using
current_user_can(), and always assume nonces can be compromised.
They have named the nonce they are checking for as “ct_secret_nonce.” It turns out it isn’t a secret, as it is displayed on every admin page of the website. That is done with the function apbct_admin__enqueue_scripts(), which is in the file /inc/cleantalk-admin.php:
493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 | function apbct_admin__enqueue_scripts($hook) { global $apbct; // Scripts to all admin pages wp_enqueue_script( 'cleantalk-modal', APBCT_JS_ASSETS_PATH . '/apbct-public--3--cleantalk-modal.min.js', array('jquery'), APBCT_VERSION ); wp_enqueue_script( 'ct_admin_common', APBCT_JS_ASSETS_PATH . '/cleantalk-admin.min.js', array('cleantalk-modal', 'jquery'), APBCT_VERSION ); wp_enqueue_style( 'ct_admin_css', APBCT_CSS_ASSETS_PATH . '/cleantalk-admin.min.css', array(), APBCT_VERSION, 'all' ); wp_enqueue_style( 'ct_icons', APBCT_CSS_ASSETS_PATH . '/cleantalk-icons.min.css', array(), APBCT_VERSION, 'all' ); wp_localize_script('ct_admin_common', 'ctAdminCommon', array( '_ajax_nonce' => wp_create_nonce('ct_secret_nonce'), |
Which is registered to run when accessing an admin page:
990 | add_action('admin_enqueue_scripts', 'apbct_admin__enqueue_scripts'); |
All of that exists in the version of the plugin they claimed to have reviewed, 6.37.
That the code is so poorly developed, isn’t all that surprising if you have looked at the support forum for the plugin and their other plugin, which have numerous complaints about the plugins being broken over a long period.
Dishonest Company
Combining all that, you have a security provider that is dishonest to an incredible degree. Faking doing security reviews and claiming that your own plugins meet stringent standards, while failing at the basics, is incredible. That is in line with other things with the developer as well. Look at one recent review of the CleanTalk’s dishonest behavior and the developer’s response. The developer’s response is basically we are sorry that you don’t appreciate us being dishonest. The company looks to be run by Russians, which might explain a lot about what is going on.