Security News > 2021 > May > Anti-Spam WordPress Plugin Could Expose Website User Data

An SQL-injection vulnerability discovered in a WordPress plugin called "Spam protection, AntiSpam, FireWall by CleanTalk" could expose user emails, passwords, credit-card data and other sensitive information to an unauthenticated attacker.

Spam protection, AntiSpam, FireWall by CleanTalk is installed on more than 100,000 sites, and is mainly used to weed out spam and trash comments on website discussion boards.

SQL injection is a web-security vulnerability that allows attackers to interfere with the queries that an application makes to its database, so that they intercept or infer the responses that databases return when queried.

Prepared statements are one of the ways to prevent this; they isolate each query parameter so that an adversary would not be able to see the entire scope of the data that's returned.

"Since data was not being inserted into a sensitive table, the insert query could not be used by an attacker to exploit the site by changing values in the database, and this also made it difficult to retrieve any sensitive data from the database," according to Wordfence.

"Despite these obstacles, we were able to craft a proof-of-concept capable of extracting data from anywhere in the database by sending requests containing SQL commands in the user-agent request header," researchers said.

News URL

https://threatpost.com/anti-spam-wordpress-plugin-expose-data/165901/