A serious vulnerability recently appeared in another WordPress plugin that could allow extracting sensitive data from the target websites’ databases. Identified as an SQL injection vulnerability, the flaw merely resides in the CleanTalk AntiSpam WordPress plugin. The developers have patched the bug with the recent updates.
CleanTalk AntiSpam Plugin Vulnerability
Team Wordfence has shared details about an SQL injection vulnerability affecting the CleanTalk AntiSpam WordPress plugin.
The plugin “Spam protection, AntiSpam, FireWall by CleanTalk” primarily protects websites from spam comments. It currently boasts over 100,000 downloads, which means that the bug in it potentially affected thousands of websites.
As elaborated in their blog post, the plugin already had several measures in place to prevent SQL injection attacks. However, the update_log function in lib/Cleantalk/ApbctWP/Firewall/SFW.php failed to use a prepared SQL statement that eventually made such attacks possible.
Explaining prepared statements, the researchers stated,
Prepared statements isolate each query parameter and are by far the most effective defense against SQL Injection.
Due to the absence of prepared statements, the researchers could easily exploit the flaw via time-based blind SQL injection. Exploitation in this way could allow a bad actor to steal sensitive information from the database, such as users’ passwords.
This vulnerability has received the CVE ID CVE-2021-24295 and a high-severity rating with a CVSS score of 7.5.
Wordfence found this vulnerability in the plugin in March 2021, after which, they responsibly disclosed the bug to the developers.
Following their report, the developers released a fix for the vulnerability in a few days.
As observed the bug affected the plugin versions available until 5.153.3. Whereas, the developers released the patch with version 5.153.4 that they also mentioned in the plugin’s changelog.
Since the patched version is already out, all those who haven’t yet updated their websites should update it now.
Besides, the developers have rolled out the current plugin version 5.157.2 recently with other updates. Thus, all users should ideally update to this version at the earliest.