How can an anti-spam WordPress plugin expose user data?

In recent news a WordPress Anti-spam plugin, “Spam protection, Firewall, AntiSpam by CleanTalk ” was discovered to have been faulted with the intervention of SQL.

SQL is a language, specifically used in designing and programming for managing data in a comparative database system or for managing assembled data. This SQL flaw discovered in WordPress enables an unauthorized tracker to have access to the user’s passwords, emails, bank account details, credit card information, and any other personal information.

What is the CVSS issue?

The whole purpose of Spam Filtering, Firewall by CleanTalk is to filter unauthorized access and comments, and spam on those websites where it has been installed. The issue arises with CVE-2021-24295 and its CVSS exposure of 7.5 out of 10 causing filtration issues, that is, it keeps a track of various IP addresses. The issue is not limited here but rather extends to jeopardizing agent-user connections that are sent from browsers for identifying themselves.

According to analysis, now a developer has to encounter the unfortunate vulnerabilities with the functioning of the update_log in CleanTalk/Firewall/lib/ApbctWP/SFW.php, particularly used for inserting into the database, the records of requests.

How does CVSS score impact user vulnerability?

CVSS or Common Vulnerability Scoring System is a number that essentially associates with the gravity of the given vulnerability in the security of information or data.

CVSS scores are used by technical training companies for comparing the charts between the vulnerabilities and as a tool for determining which vulnerability is the most severe. When this CVSS score is higher there is a higher risk and even more severe vulnerability.

Unauthorized interception of data through SQL administration

The administration of SQL is a vulnerability in web security that allows unauthorized attackers to intervene with the queries made in an application database. This is done to infer or intercept the responses which are returned from the database, based on the initial queries made.

To eliminate the risk of databases being interfered, during the administration of SQL, is to make use of prepared statements. Prepared statements allow the isolation of each parameter of the query so that unauthorized attackers are unable to view the whole scope of the returned data. This can be more appropriately done when you hire experts for interpreting the vulnerability.

The CleanTalk plugin vulnerability

Out of its several functions, CleanTalk plugin’s fundamental function is to provide protection to website owners against spam comments on blogs. This is done by maintaining a list that tracks the IP addresses and also blocks them. This also includes the association between the user and the agent.

The vulnerability of CleanTalk was exploited by using the blind administration of the SQL technique. This particular procedure sends database appeals that tend to ‘estimate’ the database content from the table. The vulnerability lies further in the fact that when the estimation is made correctly, the database can be instructed to hibernate or delay the response sent back by the database.

The functioning of the update_log contained in the PHP file, as discussed previously, was the primary reason behind the manipulation of the vulnerability. The file stored in lib/CleanTalk/ApbctWP/Firewall/SFW.php, records of requests can be added into a SQL database by attackers; particularly the one where a prepared statement was not used.

Generally, the update_log function is to be executed only once, per IP address visitor. The manipulation in data occurs in the form of cookie manipulation, which was originally set by the plugin. The first request was to obtain the cookies, Ct_sfw_pass_key, following which a manual cookie, named ct_sfw_passed, could be set by the attacker. What does it do, you say? The separate new cookie then effectively rejects the actual cookie ‘s reset ability.

The events that happened thereafter is that instead of SELECT, the vulnerable query made in SQL ended up using INSERT. Although the vulnerability was severe in the beginning this particular manipulation of vulnerability made it difficult for attackers to commit any further damage to a website, by altering its database. You can hire experts to walk you through the process.

What were the lessons learned?

Just like the saying goes, prevention is better than cure, as a possible solution to avoid this spam, hire expert WordPress developers who can suggest you patch and upgrade the plugins on your website if you are still using the outdated version of any of the CleanTalk Anti Spam plugins.