Anti-Spam WordPress Plugin Could Expose Website User Data

‘Spam protection, AntiSpam, FireWall by CleanTalk’ is installed on more than 100,000 sites — and could offer up sensitive info to attackers that aren’t even logged in.

An SQL-injection vulnerability discovered in a WordPress plugin called “Spam protection, AntiSpam, FireWall by CleanTalk” could expose user emails, passwords, credit-card data and other sensitive information to an unauthenticated attacker.

Spam protection, AntiSpam, FireWall by CleanTalk is installed on more than 100,000 sites, and is mainly used to weed out spam and trash comments on website discussion boards.

zoho webinar promo

Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.

According to Wordfence, the issue (CVE-2021-24295, which carries a high-severity CVSS vulnerability rating of 7.5 out of 10) arises thanks to how it performs that filtering. It maintains a blocklist and tracks the behavior of different IP addresses, including the user-agent string that browsers send to identify themselves.

“Unfortunately, the update_log function in lib/Cleantalk/ApbctWP/Firewall/SFW.php, which was used to insert records of these requests into the database, failed to use a prepared SQL statement,” according to the firm, which released an analysis on Tuesday.

SQL injection is a web-security vulnerability that allows attackers to interfere with the queries that an application makes to its database, so that they intercept or infer the responses that databases return when queried. Prepared statements are one of the ways to prevent this; they isolate each query parameter so that an adversary would not be able to see the entire scope of the data that’s returned.

Researchers were able to successfully exploit the vulnerability in CleanTalk via the time-based blind SQL-injection technique, they said. This is an approach that involves sending requests to the database that “guess” at the content of a database table and instruct the database to delay the response or “sleep” if the guess is correct.

“For example, a request might ask the database if the first letter of the admin user’s email address starts with the letter ‘c,’ and instruct it to delay the response by five seconds if this is true, and then try guessing the next letters in sequence,” according to Wordfence. “There are a number of other SQL-injection techniques that can work around many forms of traditional input sanitization depending on the exact construction of the vulnerable query.”

Wordfence did outline several features in the plugin code that make the issue more difficult to exploit. For instance, the vulnerable SQL query is an “insert” query.

“Since data was not being inserted into a sensitive table, the insert query could not be used by an attacker to exploit the site by changing values in the database, and this also made it difficult to retrieve any sensitive data from the database,” according to Wordfence.

Also, the SQL statement used the “sanitize_text_field” function in an attempt to prevent SQL injection, and the user-agent was included in the query within single quotes.

“Despite these obstacles, we were able to craft a proof-of-concept capable of extracting data from anywhere in the database by sending requests containing SQL commands in the user-agent request header,” researchers said.

To be protected, web admins should update the patched version of the plugin, 5.153.4.

Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” – a LIVE roundtable event on Wed, May 12 at 2:00 PM EDT. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.  

Suggested articles