The latest WordPress vulnerability reported concerns the CleanTalk anti-spam and fireWall WordPress plugin.
The type of vulnerability is SQL-injection. The resulting effects of this vulnerability include the potential exposure of private user data including credit card information, user passwords, emails, and other critically sensitive information.
Any unauthenticated attacker could reveal this information by exploiting the vulnerability.
The severity of this vulnerability caused Wordfence to categorize it as a 7.5, which is a high CVSS score.
What is a CVSS Score?
CVSS stands for Common Vulnerability Scoring System. This is a number that essentially represents the severity of a given vulnerability in information security.
Infosec teams use this type of score to create comparison charts between vulnerabilities, and as a way to determine which vulnerabilities are the most severe.
The higher the CVSS score, the greater the risk and the more severe the vulnerability.
When Was the WordPress Plugin Vulnerability Reported?
The Wordfence blog reported this vulnerability in early March 2021.
Two updates provided initial and additional protections against this vulnerability, and we recommend that all users upgrade to the latest version.
What Does This WordPress Plugin Vulnerability Do?
One of the primary functions of the CleanTalk plugin is to give site owners protection against blog comment spam.
The plugin does this through the maintenance of a list that blocks and tracks IP addresses. This maintenance also includes the user-agent string that browsers use for identification purposes.
What made this vulnerability so easily manipulated is the update_log function within the PHP file stored in lib/Cleantalk/ApbctWP/Firewall/SFW.php. Using the file stored here, an attacker could add records of requests into a SQL database that did not use a prepared SQL statement.
Ideally, the update_log function is supposed to have only been executed once per visitor IP address. The manipulation came in the form of manipulating cookies that the plugin set. The initial request was sent to obtain the ct_sfw_pass_key cookie, then the attacker could manually set yet another separate cookie known as ct_sfw_passed. This separate cookie would effectively deny the original cookie the ability to be reset.
The vulnerable SQL query ended up using INSERT instead of SELECT. This made it challenging for attackers to do any serious damage to a site by changing database values. It also made it extra difficult to gain access to any sensitive data in that database.
Despite obstacles such as this already being in place, the Wordfence team was able to create the proof that was needed. This proof allowed the extraction of user data from anywhere in said database. This was done by SQL command requests in the user-agent request headers.
Why are Prepared Statements Critical?
Wordfence reports the following regarding prepared statements and why they are so critical in the context of this vulnerability:
“We were able to successfully exploit the vulnerability in CleanTalk via the Time-Based Blind SQL Injection technique, which sends requests that “guess” at the content of a database table and instructs the database to delay the response or “sleep” if the guess is correct.
For example, a request might ask the database if the first letter of the admin user’s email address starts with the letter “c”, and instruct it to delay the response by 5 seconds if this is true, and then try guessing the next letters in sequence.
There are a number of other SQL injection techniques that can work around many forms of traditional input sanitization depending on the exact construction of the vulnerable query.
This is why it is essential to “prepare” any database queries before actually sending them to the database.
Prepared statements isolate each query parameter and are by far the most effective defense against SQL Injection.
Fortunately, WordPress offers an incredibly easy way to do this, by using the $wpdb->prepare() function.
If you develop WordPress plugins, themes, or any other software that interacts with a database, regularly using prepared statements will ensure your software will be far more secure.”
Update Your Plugins As Soon as Possible
If you are using any outdated versions of these anti-spam plugins from CleanTalk, we highly recommend upgrading and patching the plugins on your site as quickly as possible.
Proactive prevention is always better than reactive solutions!