Two critical vulnerabilities, CVE-2024-10542 and CVE-2024-10781, affecting CleanTalk’s Spam protection, Anti-Spam, and Firewall WordPress plugin (installed on over 200,000 sites), could enable unauthenticated attackers to install and activate malicious plugins, potentially leading to remote code execution. The flaws, carrying a CVSS score of 9.8, arise from authorization bypass issues, including a missing empty value check and reverse DNS spoofing. Users are strongly advised to update to patched versions (6.44 and 6.45) to mitigate these risks, as attackers could exploit these vulnerabilities to manipulate plugins and compromise site security. The warning coincides with broader malicious campaigns targeting WordPress sites for phishing, malware injection, and credential theft.