Dec 2 2024
Bluesky Emerges As Traffic Source: Publishers Report 3x Engagement via @sejournal, @MattGSouthern

Bluesky, a decentralized social network, recently shared that it’s become a growing traffic source for online publishers.

The blog post included quotes and data from several well-known news outlets, showing more engagement and conversions on Bluesky than on other social media platforms.

Publisher Testimonials Highlight Bluesky’s Impact

Matt Karolian from The Boston Globe reported, “Traffic from Bluesky to @bostonglobe.com is already 3x that of Threads, and we are seeing 4.5x the conversions to paying digital subscribers.”

Dave Earley from The Guardian also chimed in, suggesting that traffic from Bluesky to The Guardian is “significantly higher than the very obvious 2x that of Threads.”

According to Kevin Rothrock from The New York Times, “It’s hard to exaggerate how nuts the engagement is on Bluesky compared to 𝕏. A vastly smaller user base (at this point) but so much more active and attentive.”

Marc Elias from Democracy Docket noted, “Traffic from Bluesky to @democracydocket.com is surging while X is falling and Threads remains largely dormant.”

Open Source Web Development Community Thriving on Bluesky

Bluesky has a highly engaged user base that benefits more than just news publishers.

Patak, an open-source web developer, noted that even though they have only 6% of the followers on Bluesky compared to 100,000 on X (formerly Twitter), their announcement post for Vite 6.0 received half the reposts and a third of the likes.

“Most of the comments and quotes from OSS maintainers happened here,” Patak noted. “I don’t know about other communities, but OSS web dev is a Bluesky game now.”

SEO Community Finding a Home on Bluesky

Many SEO professionals, publishers, and developers are now using Bluesky. They like the platform’s features and high engagement, which support discussions and knowledge sharing.

Bluesky is more accommodating towards links compared to X. A company representative stated:

“We want Bluesky to be a great home for journalists, publishers, and creators. Unlike other platforms, we don’t de-promote your links. Post all the links you want — Bluesky is a lobby to the open web.”

This contrasts with a recent statement from Elon Musk, who didn’t deny claims that X demotes posts with links in them.

Bluesky’s algorithm could help SEO-related content get more visibility. Unlike X, where posts can disappear quickly, Bluesky’s decentralized system and focus on user control allow SEO content to stay visible longer and reach a bigger audience.

Bluesky also offers “starter packs” and curated feeds, making it easy to join industry conversations in real-time.

Looking Ahead

Bluesky could become a preferred social network for SEO professionals, offering space to share website content without losing engagement.

It’s important to watch how Bluesky develops and grows to see if it can replace X as the main platform for the SEO community.

You can take advantage of this platform’s opportunities by staying updated and adapting to changes.

Featured Image: Shutterstock/NasShots

Ecommerce MGMT 0 Comments
Dec 1 2024
New Report Shows AI Overviews Trends Are Stabilizing via @sejournal, @martinibuster

As we enter the holiday season, October’s data reveals significant shifts and stabilization across industries in AI Overviews (AIOs). Critical insights from October reveal growth in certain sectors, stability in others, and strategic changes in content types and sources. These insights offer actionable strategies for marketers aiming to optimize for AIOs during this critical period.

YouTube Citations In AI Overviews: September Through October

YouTube AI Overviews citations surged in September by 400 – 450% more than the baseline from August when YouTube citations were first tracked. The level then stabilized in October at a level of about 110% to 115% of the August baseline. This gives the impression that this level of YouTube AIO citations may represent a new normal.

The kinds of video content that Google AIO tended to cite were:

  • How-to’s
  • In-depth reviews
  • Product comparisons

BrightEdge’s report observed that YouTube AIO citations in November continued to be stable:

Current State (November): Stabilized at approximately 115-120% with minimal day-to-day variation (±3%).

The next few months will show how satisfied users are with YouTube citations. Presumably Google tested YouTube citations before rolling them out so expectations for dramatic a change should be kept in check because the volatility of YouTube AIO citations was low, indicating that Google may have found the sweet spot for these kinds of citations. So don’t expect this level of YouTube citations to drop although anything is possible.

This trend highlights the continued importance of YouTube video channel as a way to expand reach and the continued evolution away from purely text content. If you embed video on web pages then it’s important to use Video Schema.org structured data.

Massive Growth In Travel Industry AIO Citations

Travel AIO citations surged by 700% from September through October. This may reflect Google’s confidence in AI for making travel recommendations.

BrightEdge offered this advice:

“To capture AIO visibility, travel brands should optimize content around seasonal travel, local events, and specific activities. Many of the keywords that are part of this surge start with “Things to do” which then triggers an unordered list.”

Localized and Activity-Specific Travel Queries

Google AIO is showing citations for more localized travel related queries that are more specific and longtail, which may mean that AI Overviews is handling more of the local travel type queries as opposed to the big destination queries that drilled down to the neighborhood level.

BrightEdge explained:

“Initially, travel AIOs were dominated by broad, general queries focused on major tourist destinations. However, as the month progressed, there was an increase in more localized, activity specific, and seasonal travel searches, reflecting a deeper level of user intent. By November, AIOs were increasingly focused on niche travel queries covering smaller cities, specific neighborhoods, and unique local activities.”

Examples of the pattern of travel queries that triggered AIO are:

  • Top attractions in
  • Things to do in
  • Family friendly activities in
  • Fall festivals in

AIO Is Stabilizing And Maturing

Another interesting insight from the BrightEdge data is that the daily growth of AIO citations slowed down to 1.3%, indicating that we are now entering a more stable phase.

BrightEdge offers this insight:

“We are now six months into the AIO era and seeing macro-changes in AI overviews that are gerng smaller and smaller”

Another statistic that confirms that AIO are here to stay is that volatility in AIO citations decreased by 42%, another sign of stability. This is good news because it means more predictability for what keyword phrases will trigger AIO citations.

BrightEdge notes:

“The stabilization in AIO appearance allows brands to optimize for a consistent presence, par:cularly for evergreen holiday keywords. This benefit campaigns where a steady AIO presence can drive significant traffic and conversions. As AIOs stabilize, planning and incorporating them into strategies becomes easier. This is pivotal insight for marketers who wish to make AI Overviews part of their 2025 strategy.”

Education Topic Performance

Education topics were on a steady growth trajectory of a 5% increase in keyword that trigger AIO, representing 45-50% of keywords. The growth was seen in more complex educational queries like:

  • cybersecurity certification prerequisites
  • career options with a psychology degree
  • psyd vs phd comparison

B2B queries experienced modest growth of 2%, representing 45-50% of keywords and with less volatility in October than September. Healthcare AIO citations were similarly stable with only a 1% change in October and with 73-75% of keywords triggering AIO citations.

Read more about BrightEdge data here.

https://www.brightedge.com/ai-overviews

Ecommerce MGMT 0 Comments
Dec 1 2024
How Chrome Site Engagement Metrics Are Used via @sejournal, @martinibuster

Google Chrome collects site engagement metrics, and Chromium project documentation explains exactly what they are and how they are used.

Site Engagement Metrics

The documentation for the Site Engagement Metrics shares that typing the following into the browser address bar exposes the metrics:

chrome://site-engagement/

What shows up is a list of sites that the browser has visited and Site Engagement Metrics.

Site Engagement Metrics

The Site Engagement Metrics documentation explains that the metrics measure user engagement with a site and that the primary factor used is active time spent. It also offers examples of other signals that may contribute to the measurement.

This is what documentation says:

“The Site Engagement Service provides information about how engaged a user is with a site. The primary signal is the amount of active time the user spends on the site but various other signals may be incorporated (e.g whether a site is added to the homescreen).”

It also shares the following properties of the Chrome Site Engagement Scores:

  • The score is a double from 0-100. The highest number in the range represents a site the user engages with heavily, and the lowest number represents zero engagement.
  • Scores are keyed by origin.
  • Activity on a site increases its score, up to some maximum amount per day.
  • After a period of inactivity the score will start to decay.

What Chrome Site Engagement Scores Are Used For

Google is transparent about the Chrome Site Engagement metrics because the Chromium Project is open source. The documentation explicitly outlines what the site engagement metrics are, the signals used, how they are calculated, and their intended purposes. There is no ambiguity about their function or use. It’s all laid out in detail.

There are three main uses for the site engagement scores and all three are explicitly for improving the user experience within Chromium-based browsers.

Site engagement metrics are used internally by the browser for these three purposes:

  1. Prioritize Resources: Allocate resources like storage or background sync to sites with higher engagement.
  2. Enable Features: Determine thresholds for enabling specific browser features (e.g., app banners, autoplay).
  3. Sort Sites: Organize lists, such as the most-used sites on the New Tab Page or which tabs to discard when memory is low, based on engagement levels.

The documentation states that the engagement scores were specifically designed for the above three use cases.

Prioritize Resources

Google’s documentation explains that Chrome allocates resources (such as storage space) to websites based on their site engagement levels. Sites with higher user engagement scores are given a greater share of these resources within their browser. The purpose is so that the browser prioritizes sites that are more important or frequently used by the user.

This is what the documentation says:

“Allocating resources based on the proportion of overall engagement a site has (e.g storage, background sync)”

Takeaway: One of the reasons for the site engagement score is to prioritize resources to improve the browser user experience.

Role Of Engagement Metrics For Enabling Features

This part of the documentation explains that Chromium uses site engagement scores to determine whether certain browser features are enabled for a website. Examples of features are app banners and video autoplay.

The site engagement metrics are used to determine whether to let videos autoplay on a given site, if the site is above a specific threshold of engagement. This improves the user experience by preventing annoying video autoplay on sites that have low engagement scores.

This is what the documentation states:

“Setting engagement cutoff points for features (e.g app banner, video autoplay, window.alert())”​

Takeaway: The site engagement metrics play a role in determining whether certain features like video autoplay are enabled. The purpose of this metric is to improve the browser user experience.

Sort Sites

The document explicitly says that site engagement scores are used to rank sites for browser functions like tab discarding (when memory is tight) or creating lists of the most-used sites on the New Tab Page (NTP).

“Sorting or prioritizing sites in order of engagement (e.g tab discarding, most used list on NTP)”

Takeaway: Sorting sites based on engagement ensures that the user’s most important and frequently interacted-with sites are prioritized in their browser. It also improves usability through tab management and quick access so that it matches user behavior and preferences.

Privacy

There is absolutely nothing that implies that Google Search uses these site engagement metrics. There is nothing in the documentation that explicitly mentions or implicitly alludes to any other purpose for the site engagement metrics except for improving the user experience and usability of the Chrome browser and Chromium-based devices like the Chromebook.

The engagement scores are limited to a device. The scores aren’t shared between the devices of a single user.

The documentation states:

“The user engagement score are not synced, so decisions made on a given device are made based on the users’ activity on that device alone.”

The user engagement scores are further isolated when users are in Incognito Mode:

“When in incognito mode, site engagement will be copied from the original profile and then allowed to decay and grow independently. There will be no information flow from the incognito profile back to the original profile. Incognito information is deleted when the browser is shut down.”

User engagement scores are deleted when the browser history is cleared:

“Engagement scores are cleared with browsing history.

Origins are deleted when the history service deletes URLs and subsequently reports zero URLs belonging to that origin are left in history.”

The engagement score for a website decreases over time if the user doesn’t interact with the site. This is called “decay” when the user engagement score drops in time. Engagement scores are forgotten which improves the relevance of the scores and how the browser optimizes itself for usability and the user experience.

The impact of user engagement scores that “decay to zero” is that the URLs are completely removed from the browser:

“URLs are cleared when scores decay to zero.”

Takeaway: What Could Google Do With This Data?

It’s understandable that some people, when presented with the facts about Chrome site engagement metrics, will ask, “What if Google is using it?”

Asking “what if” is a powerful way to innovate and explore how a service or a product can be improved or invented. However, basing business decisions on speculative ‘what if’ questions that contradict established facts is counterproductive.

These metrics are solely for improving browser user experience and usability, the scores are not synched and are limited to the device, the scores are further isolated in Incognito Mode and the scores are completely erased when users stop interacting with a site.

That means that the question, “What if Chrome shared site engagement signals with Google?” has no basis in fact. The purpose of these signals and their documented use cases are fully transparent and well understood to be limited to browser usability.

Read the Chromium documentation:

For Developers > Design Documents > Site Engagement

Featured Image by Shutterstock/Cast Of Thousands

Ecommerce MGMT 0 Comments
Nov 30 2024
Automattic Quietly Intensifies WP Engine Tracker Site via @sejournal, @martinibuster

Automattic quietly updated the WP Engine Tracker website with an activity log showing a continuously updated list of domains that have switched away from managed WordPress host, WP Engine. This update is part of Mullenweg’s self-described “nuclear war” against WP Engine, with the Tracker site actively promoting competitors by offering links to their hosting promotions.

WP Engine Tracker

Automattic created a website for the purpose of tracking how many sites have abandoned WP Engine six September 21st, 2024, the date that Matt Mullenweg started went “nuclear” on WP Engine after they rebuffed his request for $32 million dollars. The website promotes deals with other web hosts for moving away from WP Engine, and a CSV spreadsheet with the domain names of the sites that have left WP Engine.

At some point after launching the website was updated with a list of the top web hosts that WP Engine customers have migrated to and a constantly updated list of sites that have recently moved.

WP Engine Tracker “Activity Log Today”

Automattic escalated what the WP Engine Tracker website does by adding an additional feature that shows a continually updated running list of domains that have migrated away from WP Engine and the destination host.

Screenshot Of Activity Log Today Feature

WP Engine Lawsuit

The WP Engine Tracker website, created by Automattic and Matt Mullenweg to publicly monitor and offer links to promotions to other web hosts, was cited in a preliminary injunction filed by WP Engine as evidence of Mullenweg’s purposeful “attack on WPE” as part of his “nuclear war” against the managed WordPress host.

The preliminary injunction filed by WP Engine explains:

“Just last week, in an apparent effort to brag about how successful they have been in harming WPE, Defendants created a website—www.wordpressenginetracker.com—that “list[s] . . . every domain hosted by @wpengine, which you can see decline every day. 15,080 sites have left already since September 21st.

September 21 was not selected randomly. It is the day after Defendants’ self-proclaimed nuclear war began – an admission that these customer losses were caused by Defendants’ wrongful actions. In this extraordinary attack on WPE and its customers, Defendants included on their disparaging website a downloadable file of ‘all [WPE] sites ready for a new home’—that is, WPE’s customer list, literally inviting others to target and poach WPE’s clients while Defendants’ attacks on WPE continued..”

But available transcripts of the preliminary injunction hearing of November 26th do not show that it was mentioned. The judge at that hearing asked the plaintiff and defendants to return to court on Monday December 2nd with an agreement on a narrow and specific scope for a preliminary injunction, having said that the original request was too vague and consequently unenforceable.

Featured Image by Shutterstock/Gearstd

Ecommerce MGMT 0 Comments
Nov 29 2024
ChatGPT Search Shows 76.5% Error Rate In Attribution Study via @sejournal, @MattGSouthern

OpenAI’s ChatGPT Search is struggling to accurately cite news publishers, according to a study by Columbia University’s Tow Center for Digital Journalism.

The report found frequent misquotes and incorrect attributions, raising concerns among publishers about brand visibility and control over their content.

Additionally, the findings challenge OpenAI’s commitment to responsible AI development in journalism.

Background On ChatGPT Search

OpenAI launched ChatGPT Search last month, claiming it collaborated extensively with the news industry and incorporated publisher feedback.

This contrasts with the original 2022 rollout of ChatGPT, where publishers discovered their content had been used to train the AI models without notice or consent.

Now, OpenAI allows publishers to specify via the robots.txt file whether they want to be included in ChatGPT Search results.

However, the Tow Center’s findings suggest publishers face the risk of misattribution and misrepresentation regardless of their participation choice.

Accuracy Issues

The Tow Center evaluated ChatGPT Search’s ability to identify sources of quotes from 20 publications.

Key findings include:

  • Of 200 queries, 153 responses were incorrect.
  • The AI rarely acknowledged its mistakes.
  • Phrases like “possibly” were used in only seven responses.

ChatGPT often prioritized pleasing users over accuracy, which could mislead readers and harm publisher reputations.

Additionally, researchers found ChatGPT Search is inconsistent when asked the same question multiple times, likely due to the randomness baked into its language model.

Citing Copied & Syndicated Content

Researchers find ChatGPT Search sometimes cites copied or syndicated articles instead of original sources.

This is likely due to publisher restrictions or system limitations.

For example, when asked for a quote from a New York Times article (currently involved in a lawsuit against OpenAI and blocking its crawlers), ChatGPT linked to an unauthorized version on another site.

Even with MIT Technology Review, which allows OpenAI’s crawlers, the chatbot cited a syndicated copy rather than the original.

The Tow Center found that all publishers risk misrepresentation by ChatGPT Search:

  • Enabling crawlers doesn’t guarantee visibility.
  • Blocking crawlers doesn’t prevent content from showing up.

These issues raise concerns about OpenAI’s content filtering and its approach to journalism, which may push people away from original publishers.

OpenAI’s Response

OpenAI responded to the Tow Center’s findings by stating that it supports publishers through clear attribution and helps users discover content with summaries, quotes, and links.

An OpenAI spokesperson stated:

“We support publishers and creators by helping 250M weekly ChatGPT users discover quality content through summaries, quotes, clear links, and attribution. We’ve collaborated with partners to improve in-line citation accuracy and respect publisher preferences, including enabling how they appear in search by managing OAI-SearchBot in their robots.txt. We’ll keep enhancing search results.”

While the company has worked to improve citation accuracy, OpenAI says it’s difficult to address specific misattribution issues.

OpenAI remains committed to improving its search product.

Looking Ahead

If OpenAI wants to collaborate with the news industry, it should ensure publisher content is represented accurately in ChatGPT Search.

Publishers currently have limited power and are closely watching legal cases against OpenAI. Outcomes could impact content usage rights and give publishers more control.

As generative search products like ChatGPT change how people engage with news, OpenAI must demonstrate a commitment to responsible journalism to earn user trust.

Featured Image: Robert Way/Shutterstock

Ecommerce MGMT 0 Comments
Nov 28 2024
Google Business Profile Update Targets Delivery Of Age-Restricted Products via @sejournal, @MattGSouthern

Google has updated its Business Profile rules for service-area businesses that sell age-restricted products.

Now, businesses selling alcohol, cannabis, weapons, and similar items must have a physical storefront to maintain their Google Business Profile.

We were alerted to this update by Stefan Somborac on X:

Changes To Service-Area Business Guidelines

Google has updated its guidelines to prevent businesses that sell age-restricted products from operating only as service-area businesses.

The updated guidelines state:

“Businesses associated with products or services that require the customer to be a certain minimum age, like alcohol, cannabis, or weapons, aren’t permitted as service-area businesses without a storefront.”

This is a notable change in how Google handles business listings for delivery and mobile services.

The policy outlines two main types of businesses:

  1. Service-area businesses: These companies deliver to customers but do not have a physical business location.
  2. Hybrid businesses: These operations have a physical location and offer delivery or mobile services.

Service Area Limitations

Google maintains its existing restrictions on service areas, including:

  • A maximum of 20 service areas per business
  • Service boundaries limited to approximately 2 hours of driving time from the business base
  • Service areas must be defined by city, postal code, or specific geographic region rather than radius

Impact On Businesses

This update affects certain types of businesses:

  • Mobile alcohol delivery services
  • Cannabis delivery services
  • Weapons dealers without a physical store
  • Vendors of age-restricted products that only deliver

The new rules require these businesses to have a physical storefront to keep their Google Business Profiles.

This change aims to ensure proper age checks and compliance with sensitive product and service regulations.

What This Means

The policy update addresses concerns about selling age-restricted products through delivery-only businesses.

This change mainly impacts new delivery services for cannabis and alcohol, which have grown in some cities.

Featured Image: Alexandre.ROSA/Shutterstock

Ecommerce MGMT 0 Comments
Nov 28 2024
Google Search Sees UK Decline, Users Express Low Trust In AI via @sejournal, @MattGSouthern

Google Search’s market share in the UK weakened this year, with user reach dropping to 83% from 86%, according to Ofcom’s Online Nation report.

This decline comes as concerns grow over AI-powered search results, with only 18% of users confident in their accuracy.

The Rise & Fall of AI Search Adoption

Microsoft’s Bing gained popularity after adding ChatGPT in February 2023, peaking at 46% reach in the UK in April.

By May 2024, it settled at 39%, still above pre-AI levels.

This suggests the initial excitement about AI search tools is fading, and users are now more cautious with AI-generated results.

Trust Gap Emerges

Despite the widespread adoption of AI search features, trust remains a concern:

  • Only 18% of UK users believe AI search results are reliable
  • Younger users (ages 16-24) show marginally higher trust at 21%
  • A third of users express neutral confidence in AI-generated results
  • Men show higher confidence in AI search results than women

Demographics & Device Usage

The report reveals variations in search behavior across age groups and devices:

  • Google maintains 83% reach across smartphones, tablets, and computers
  • Google maintains 49% daily active users
  • Bing sees 39% reach, primarily driven by desktop users
  • Alternative search engines like DuckDuckGo show modest growth (3% reach)
  • Bing shows stronger performance among older users (43% of 65+ vs. 36% of 25-34-year-olds)
  • Mobile search dominates, with Google capturing 84% of mobile searches
  • Desktop usage remains stronger for traditional search engines like Bing and Yahoo
  • 69% of UK online adults visit at least one search engine daily.

What This Means

As we approach 2025, search is changing with AI integration, but user trust remains essential.

Key points for search marketers and content creators include:

  • Many users still prefer traditional search methods despite the rise of AI.
  • Trust issues create both challenges and opportunities for content improvement.
  • Different age groups affect how people accept and use AI in search.
  • A successful strategy blends AI tools with established methods.

View AI search as an added layer rather than a replacement for current practices.

Focus on quality content and reliable information, optimizing for AI wisely where it adds value.

Methodology

The Online Nation 2024 report combines two main data sources:

Online Experiences Tracker:

  • 7,280 UK internet users aged 13-84
  • Fielded May-June 2024 via YouGov panel
  • Standard demographic weighting applied

Ipsos iris Panel Data:

  • Passive tracking of 10,700 UK adults
  • Monitors actual device usage across mobile, tablet, and desktop
  • Continuous measurement through May 2024
  • Covers in-home and out-of-home usage

Worth noting: Some year-over-year comparisons, particularly around time spent metrics, may be affected by methodology updates. Apple News tracking began in October 2023, which impacts certain platform comparisons.

The data focuses on UK users, so global markets may show different patterns. All population estimates have standard margins of error.

Featured Image: William Barton/Shutterstock

Ecommerce MGMT 0 Comments
Nov 27 2024
YouTube Previews AI Tools To Overcome Creative Blocks via @sejournal, @MattGSouthern

YouTube is enhancing its Inspiration Tab, a tool for creators to understand their audience and improve content.

In a video demonstration, the company previewed new AI features that will launch in the coming months.

Initially a research tool, the Inspiration Tab now helps creators identify audience interests and content gaps.

The new AI features are designed to boost creativity and streamline content creation.

Personalized Ideas and Audience Insights

You’ll find five tailored ideas for your channel in the updated Inspiration Tab.

Screenshot from: YouTube.com/CreatorInsider, Nov 2024.

Each idea includes a thumbnail, title, summary, and audience interest insights, helping you see how well it fits your audience.

You can also input any topic as a text prompt, and the AI will generate ideas based on your request.

Screenshot from: YouTube.com/CreatorInsider, Nov 2024.

In the Idea Playground, you can personalize your idea by exploring different angles.

Choose from suggested angles or enter your own prompt.

The Playground also offers undo and redo options, so you don’t lose your work.

Screenshot from: YouTube.com/CreatorInsider, Nov 2024.
Screenshot from: YouTube.com/CreatorInsider, Nov 2024.

You can access outlines and thumbnails in the Playground. The AI will suggest ways to adjust your talking points. You can modify the entire outline or focus on specific sections.

Similar options are available for titles and thumbnails. You can download images for use as backgrounds or modify them to visualize before uploading.

Screenshot from: YouTube.com/CreatorInsider, Nov 2024.

Availability

The Inspiration Tab is the updated Trends Tab, formerly the Research Tab. It will be a central hub where you can use AI to brainstorm ideas, outlines, titles, thumbnails, and concepts.

YouTube plans to roll out these features over the next few months. Note that these features are not widely available yet, as YouTube is previewing them to gather creator feedback.

See the full demo below:

Featured Image: Geobor/Shutterstock

Ecommerce MGMT 0 Comments
Nov 27 2024
WordPress Anti-Spam Plugin Vulnerability Hits 200k+ Sites via @sejournal, @martinibuster

A flaw in a WordPress anti-spam plugin with over 200,000 installations allows rogue plugins to be installed on affected websites. Security researchers rated the vulnerability 9.8 out of 10, reflecting the high level of severity determined by security researchers.

Screenshot Of CleanTalk Vulnerability Severity Rating

CleanTalk Anti-Spam WordPress Plugin Vulnerability

A highly rated anti-spam firewall with over 200,000 installations was found to have an authentication bypass vulnerability that enables attackers to gain full access to websites without providing a username or password. The flaw lets attackers upload and install any plugin, including malware, granting them full control of the site.

The flaw in the Spam protection, Anti-Spam, FireWall by CleanTalk plugin, was pinpointed by security researchers at Wordfence as caused by reverse DNS spoofing. DNS is the system that turns an IP address to a domain name. Reverse DNS spoofing is where an attacker manipulates the system to show that it’s coming from a different IP address or domain name. In this case the attackers can trick the Ant-Spam plugin that the malicious request is coming from the website itself and because that plugin doesn’t have a check for that the attackers gain unauthorized access.

This vulnerability is categorized as: Missing Authorization. The Common Weakness Enumeration (CWE) website defines that as:

“The product does not perform an authorization check when an actor attempts to access a resource or perform an action.”

Wordfence explains it like this:

“The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function in all versions up to, and including, 6.43.2. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.”

Recommendation

Wordfence recommends users of the affected plugin to update to version 6.44 or higher.

Read the Wordfence advisory:

Spam protection, Anti-Spam, FireWall by CleanTalk <= 6.43.2 – Authorization Bypass via Reverse DNS Spoofing to Unauthenticated Arbitrary Plugin Installation

Featured Image by Shutterstock/SimpleB

Ecommerce MGMT 0 Comments