Login

Tag Archives: Anti-Spam by CleanTalk

Plugin Security Scorecard Grade for Anti-Spam by CleanTalk

Checked on December 2, 2024
F

See issues causing the plugin to get less than A+ grade

9 Dec 2024

Wordfence and “News” Outlets Recommend Updating WordPress Plugin to Version Still Known to be Vulnerable

What we see over and over is that WordPress security providers and supposed journalists are focused on getting themselves attention while failing to provide useful information that would make WordPress websites more secure. A recent example involved (once again) Wordfence. As usual, they were using a vulnerability in a plugin to promote themselves:

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as these vulnerabilities pose a significant risk. [Read more]

6 Aug 2024

CleanTalk Isn’t Doing Real Security Reviews of WordPress Plugins and Their Plugin Contains Vulnerabilities

Last week we mentioned in a post that security reviews of WordPress plugins would provide a good idea of how secure they are, but those reviews are rarely done. Just prior to writing that post, we ran across a security provider claiming to being do those reviews and a lot of them. That provider being CleanTalk. In checking in to if they were really doing reviews, we found their own plugin, Anti-Spam by CleanTalk, which they just claimed to do a review of and found no issues, contains easy to spot vulnerabilities because of a lack of basic security. That would have been caught by a real review. We found the same missing check in other plugins they claimed to have reviewed.

We have previously noted on our blog multiple instances where CleanTalk either was very confused about security or just being dishonest. In February, we noted that they had greatly overstated the risk of a vulnerability, seemingly, because they lack a basic understanding of securing web apps. In May, we noted they had made up a “critical” vulnerability in a plugin with 100,000+ installs. That same month, we noted they had claimed that a vulnerability in another 100,000+ install plugin had been fixed, when it hadn’t. [Read more]

7 Jan 2019

Our Plugin Security Checker Could Have Warned You About the Possibility of Vulnerabilities in a Couple of WordPress Plugins with 80,000 Installs

On Friday we noted in our post detailing a reflected cross-site scripting (XSS) vulnerability in the WordPress plugin Ninja Forms, which has 1+ million active installations according to wordpress.org, that our Plugin Security Checker,  which is a tool that allows anyone to see if there are possible security issues in WordPress plugins that could use further investigation, had been updated to better catch that type of issues like that based on variations that existed in that plugin’s code from how things are normally done.

We were also interested in seeing if there were other popular plugins that might have similarly vulnerable code that had yet to be have been caught by anyone due those variations, so we ran the updated check from the Plugin Security Checker over the 1,000 most popular plugins in the WordPress Plugin Directory. What we found was there are a number of those plugins that look like they might be vulnerable, though most of them didn’t contain the variations, so our Plugin Security Checker would have already spotted them. [Read more]

20 Nov 2018

We Caught a PHP Object Injection Vulnerability in a WordPress Plugin with 70,000+ Installs Before It Could Possibly Be Exploited

Earlier today we noted that a security company claimed to have sat on a PHP object injection vulnerability in a WordPress plugin for nearly six months and only disclosed they knew about it until after it others had noticed and possibly after it had been exploited. Completely coincidentally during our our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities we have spotted the same kind of serious vulnerability being introduced today in to a plugin with 70,000+ active installations, Anti-Spam by CleanTalk, before anyone is using it, as the change that introduces it has not yet been applied to the version that people install.

The vulnerability is due to changing the following line: [Read more]