Vulnerable WordPress Plugin Could Leak Website User Data
An SQL-injection vulnerability discovered in a WordPress plugin called “Spam protection, AntiSpam, FireWall by CleanTalk” could expose user emails, passwords, credit-card data, and other sensitive information to an unauthenticated attacker. Spam protection, AntiSpam, FireWall by CleanTalk is installed on more than 100,000 sites and is mainly used to weed out spam and trash comments on website discussion boards.
According to Wordfence, the issue (CVE-2021-24295, which carries a high-severity CVSS vulnerability rating of 7.5 out of 10) arises thanks to how it performs that filtering. It maintains a blocklist and tracks the behavior of different IP addresses, including the user-agent string that browsers send to identify themselves.
SQL injection is a web-security vulnerability that allows attackers to interfere with the queries that an application makes to its database, so that they intercept or infer the responses that databases return when queried. Prepared statements are one of the ways to prevent this; they isolate each query parameter so that an adversary would not be able to see the entire scope of the data that is returned.
Researchers were able to successfully exploit the vulnerability in CleanTalk via the time-based blind SQL-injection technique, they said. This is an approach that involves sending requests to the database that “guess” at the content of a database table and instruct the database to delay the response or “sleep” if the guess is correct.
Wordfence did outline several features in the plugin code that make the issue more difficult to exploit. For instance, the vulnerable SQL query is an “insert” query. Also, the SQL statement used the “sanitize_text_field” function to prevent SQL injection, and the user-agent was included in the query within single quotes.
To be protected, web admins should update the patched version of the plugin, 5.153.4.