An SQL-injection flaw discovered in the WordPress plugin “Spam protection, AntiSpam, FireWall by CleanTalk”. Could allow an unauthenticated attacker to access user emails, passwords, credit-card data, and other sensitive information.

AntiSpam, Spam Filtering CleanTalk’s FireWall used to filter spam. And trash comments on website discussion boards, and installed on over 100,000 sites.

The problem (CVE-2021-24295, which has a CVSS vulnerability rating of 7.5 out of 10) arises. According to Wordfence, because of how it performs that filtering. It keeps track of different IP addresses. Including the user-agent string that browsers send to identify themselves, and maintains a blocklist.

“Unfortunately, the update_log function in lib/Cleantalk/ApbctWP/Firewall/SFW.php, which was used to insert records of these requests into the database, failed to use a prepared SQL statement,” according to the firm, which released an analysis on Tuesday.

SQL injection enables attackers to intercept data

SQL injection is a web-security flaw that allows attackers to intercept or infer the responses. That databases return when queried by interfering with the queries that an application makes to its database. One way to avoid this is to use prepared statements. Which isolate each query parameter so that an adversary cannot see the entire scope of the data returned.

CleanTalk’s vulnerability was successfully exploited using the time-based blind SQL-injection technique, according to the researchers. This method involves sending database requests that “guess” the content of a database table. And instructing the database to delay or “sleep” the response if the guess is correct.

“For example, a request might ask the database if the first letter of the admin user’s email address. Starts with the letter ‘c,’ and instruct it to delay the response by five seconds if this is true. And then try guessing the next letters in sequence,” according to Wordfence. “There are a number of other SQL-injection techniques that can work around many forms of traditional input sanitization depending on the exact construction of the vulnerable query.”

Wordfence highlights some features in the plugin code

Wordfence did point out a few features in the plugin code that make exploiting the flaw more difficult. The vulnerable SQL query, for example, is a “insert” query

“Since data was not being inserted into a sensitive table. the insert query could not be used by an attacker to exploit the site by changing values in the database, and this also made it difficult to retrieve any sensitive data from the database,” according to Wordfence.

In addition, the SQL statement used the “sanitize text field” function to avoid SQL injection. Also, the user-agent enclosed in single quotes in the query.

“Despite these obstacles, we were able to craft a proof-of-concept capable of extracting data. From anywhere in the database by sending requests containing SQL commands in the user-agent request header,” researchers said.

Finally,  Web admins should update to the patched version of the plugin, 5.153.4, to be safe.

You may also like:

Tensions between Wix and WordPress Getting Nastier

WordPress Sites Vulnerable to Thrive Themes Flaws targeted by active exploits