Anti-Spam WordPress Plugin Could Expose Website User Data

[silversurfer]

An SQL-injection vulnerability discovered in a WordPress plugin called “Spam protection, AntiSpam, FireWall by CleanTalk” could expose user emails, passwords, credit-card data and other sensitive information to an unauthenticated attacker.
 
Spam protection, AntiSpam, FireWall by CleanTalk is installed on more than 100,000 sites, and is mainly used to weed out spam and trash comments on website discussion boards.
 
According to Wordfence, the issue (CVE-2021-24295, which carries a high-severity CVSS vulnerability rating of 7.5 out of 10) arises thanks to how it performs that filtering. It maintains a blocklist and tracks the behavior of different IP addresses, including the user-agent string that browsers send to identify themselves.
 
“Unfortunately, the update_log function in lib/Cleantalk/ApbctWP/Firewall/SFW.php, which was used to insert records of these requests into the database, failed to use a prepared SQL statement,” according to the firm, which released an analysis on Tuesday.

Read more: Anti-Spam WordPress Plugin Could Expose Website User Data | Threatpost