The latest WordPress vulnerability reported concerns the CleanTalk anti-spam and fireWall WordPress plugin.
The type of vulnerability is SQL-injection. The resulting effects of this vulnerability include the potential exposure of private user data including credit card information, user passwords, emails, and other critically sensitive information.
Any unauthenticated attacker could reveal this information by exploiting the vulnerability.
The severity of this vulnerability caused Wordfence to categorize it as a 7.5, which is a high CVSS score.
What is a CVSS Score?
CVSS stands for Common Vulnerability Scoring System. This is a number that essentially represents the severity of a given vulnerability in information security.
Infosec teams use this type of score to create comparison charts between vulnerabilities, and as a way to determine which vulnerabilities are the most severe.
The higher the CVSS score, the greater the risk and the more severe the vulnerability.
When Was the WordPress Plugin Vulnerability Reported?
The Wordfence blog reported this vulnerability in early March 2021.
Two updates provided initial and additional protections against this vulnerability, and we recommend that all users upgrade to the latest version.
What Does This WordPress Plugin Vulnerability Do?
One of the primary functions of the CleanTalk plugin is to give site owners protection against blog comment spam.
The plugin does this through the maintenance of a list that blocks and tracks IP addresses. This maintenance also includes the user-agent string that browsers use for identification purposes.
What made this vulnerability so easily manipulated is the update_log function within the PHP file stored in lib/Cleantalk/ApbctWP/Firewall/SFW.php. Using the file stored here, an attacker could add records of requests into a SQL database that did not use a prepared SQL statement.
Ideally, the update_log function is supposed to have only been executed once per visitor IP address. The manipulation came in the form of manipulating cookies that the plugin set. The initial request was sent to obtain the ct_sfw_pass_key cookie, then the attacker could manually set yet another separate cookie known as ct_sfw_passed. This separate cookie would effectively deny the original cookie the ability to be reset.
The vulnerable SQL query ended up using INSERT instead of SELECT. This made it challenging for attackers to do any serious damage to a site by changing database values. It also made it extra difficult to gain access to any sensitive data in that database.
Despite obstacles such as this already being in place, the Wordfence team was able to create the proof that was needed. This proof allowed the extraction of user data from anywhere in said database. This was done by SQL command requests in the user-agent request headers.
Why are Prepared Statements Critical?
Wordfence reports the following regarding prepared statements and why they are so critical in the context of this vulnerability:
Update Your Plugins As Soon as Possible
If you are using any outdated versions of these anti-spam plugins from CleanTalk, we highly recommend upgrading and patching the plugins on your site as quickly as possible.
Proactive prevention is always better than reactive solutions!