The discovery and remediation of the vulnerabilities followed a detailed timeline involving collaborative efforts between security researchers and the CleanTalk team, as noted on the Wordfence blog . Check out the timeline:
October 30, 2024 : First vulnerability (CVE-2024-10542) reported and confirmed;
November 1, 2024 : version 6.44 released with partial fix;
November 4, 2024 : Second vulnerability (CVE-2024-10781) identified;
November 14, 2024 : Version 6.45 released with full fixes for both flaws.
Despite these updates, WordPress data indicates that, as of November 26, 2024, approximately half of sites had still not applied the necessary fixes.
Recommendations for companies and their websites
If you use the CleanTalk plugin on your website, some actions are essential to ensure security.
Update the plugin immediately : Make sure the instagram data installed version is 6.45 or later, which includes the fixes for both vulnerabilities.
Configure the API key correctly : Not configuring this key is one of the factors that makes exploitation easier.
Implement a Web Application Firewall (WAF) : Tools like Wordfence can block attempts to exploit vulnerabilities.
Review other installed plugins : Ensure all website components are up to date and free from known vulnerabilities.
Risks for companies and economic impacts
The CleanTalk plugin flaws highlight how vulnerabilities can impact businesses of all sizes. A compromised website can lead to the loss of sensitive data, undermine customer trust, and in extreme cases, result in legal sanctions for violating regulations such as the GDPR.
Additionally, exploiting these flaws could allow the injection of malicious code that could redirect visitors to fraudulent websites, steal login credentials, and install malware on users' devices.
According to a report from Sucuri , attacks involving compromised plugins account for 39% of WordPress site breaches . This statistic reflects the urgency of implementing good security practices, especially for businesses that rely on their websites for lead generation and sales.
Therefore, for companies that do not have expertise in digital security, relying on the support of a specialized agency may be the best option. Remember: a preventive approach is always more efficient and cost-effective than dealing with the losses from a successful attack.