SQL injection issue in Anti-Spam WordPress Plugin exposes User Data

‘Spam protection, AntiSpam, FireWall by CleanTalk’ anti-spam WordPress plugin could expose user sensitive data to an unauthenticated attacker.

A Time-Based Blind SQL Injection in ‘Spam protection, AntiSpam, FireWall by CleanTalk’ WordPress plugin, tracked as CVE-2021-24295, could be exploited by an unauthenticated attacker to access user data.

The flaw could be exploited by an attack to access user emails, passwords, credit card data, and other sensitive information.

The Spam protection, AntiSpam, FireWall by CleanTalk WordPress plugin has 100,000+ active installations, it allows to filter out spam and trash comments on websites running WordPress CMS.

“On March 4, 2021, the Wordfence Threat Intelligence team initiated responsible disclosure for a Time-Based Blind SQL Injection vulnerability discovered in Spam protection, AntiSpam, FireWall by CleanTalk, a WordPress plugin installed on over 100,000 sites. This vulnerability could be used to extract sensitive information from a site’s database, including user emails and password hashes, all without logging into the site.” reads the advisory published by Wordfence.

The CVE-2021-24295 flaw is a high-severity issue that has been rated 7.5 out of 10.

The plugin protects sites against spam comments by maintaining a blocklist and tracking the behavior of different IP addresses, including the user-agent string that browsers send to identify themselves.

Wordfence researchers noticed that the update_log function in lib/Cleantalk/ApbctWP/Firewall/SFW.php, which was used to insert records of these requests into the database, failed to use a prepared SQL statement.

Prepared statements allow preventing SQL injections attacks.

The experts were able to trigger the issue by sending requests to the database that “guess” at the content of a database table and instruct the database to delay the response or “sleep” if the guess is correct.

“For example, a request might ask the database if the first letter of the admin user’s email address starts with the letter ‘c,’ and instruct it to delay the response by five seconds if this is true, and then try guessing the next letters in sequence,” continues Wordfence. “There are a number of other SQL-injection techniques that can work around many forms of traditional input sanitization depending on the exact construction of the vulnerable query.”

Additionally, experts pointed that there were a number of features to the plugin code that made it more difficult to successfully perform a SQL injection attack. For example, the update_log function by design should only have been executed a single time for each visitor IP address. The experts noticed that it was possible to manipulate the cookies set by the plugin, sending an initial request to obtain a ct_sfw_pass_key cookie and then manually setting a separate ct_sfw_passed cookie and disallowing it from being reset.

“Additionally, the vulnerable SQL query used INSERT rather than SELECT. Since data was not being inserted into a sensitive table, the insert query could not be used by an attacker to exploit the site by changing values in the database, and this also made it difficult to retrieve any sensitive data from the database,” continues Wordfence.

Another issue is related to the use of the “sanitize_text_field” function in an attempt to prevent SQL injection, and the user-agent was included in the query within single quotes.

The researchers created a proof-of-concept exploit to demonstrate the issue and extract data from anywhere in the database, they successfully exploited the flaw by sending requests containing SQL commands in the user-agent request header.

This vulnerability was addressed with the release of version 5.153.4, but the researchers recommend updating to the latest version of the plugin, 5.156.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Anti-Spam WordPress Plugin)

[adrotate banner=”5″]

[adrotate banner=”13″]