‘Spam protection, AntiSpam, FireWall by CleanTalk’ is installed on more than 100,000 sites — and could offer up sensitive info to attackers that aren’t even logged in.
An SQL-injection vulnerability discovered in a WordPress plugin called “Spam protection, AntiSpam, FireWall by CleanTalk” could expose user emails, passwords, credit-card data and other sensitive information to an unauthenticated attacker.
Spam protection, AntiSpam, FireWall by CleanTalk is installed on more than 100,000 sites, and is mainly used to weed out spam and trash comments on website discussion boards.
According to Wordfence, the issue (CVE-2021-24295, which carries a high-severity CVSS vulnerability rating of 7.5 out of 10) arises thanks to how it performs that filtering. It maintains a blocklist and tracks the behavior of different IP addresses, including the user-agent string that browsers send to identify themselves.
“Unfortunately, the update_log function in lib/Cleantalk/ApbctWP/Firewall/SFW.php, which was used to insert records of these requests into the database, failed to use a prepared SQL statement,” according to the firm, which released an analysis on Tuesday.
SQL injection is a web-security vulnerability that allows attackers to interfere with the queries that an application makes to its database, so that they intercept or infer the responses that databases return when queried. Prepared statements are one of the ways to prevent this; they isolate each query parameter so that an adversary would not be able to see the entire scope of the data that’s returned.
Read more here: threatpost.com