WordPress Plugin Vulnerabilities

Security & Malware scan by CleanTalk < 2.145.1 - Authorization Bypass via Reverse DNS Spoofing to Unauthenticated SQL Injection

Description

The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to unauthorized SQL Injection due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function in all versions up to, and including, 2.145, as well as insufficient input sanitization and validation. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Affects Plugins

Plugin icon
security-malware-firewall
Fixed in 2.145.1

References

CVE
CVE-2024-10570
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/2187311d-6651-4eca-806d-aa2ff9fae4e2

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.5 (high)

Miscellaneous

Original Researcher
mikemyers
Verified
No
WPVDB ID
b23b5018-4f79-4fb9-b4be-f481a44a50f0

Timeline

Publicly Published
2024-11-25 (about 1 year ago)
Added
2024-11-25 (about 1 year ago)
Last Updated
2024-11-26 (about 1 year ago)

Other

Published
Title
Published
2023-12-21
Title
Welcart e-Commerce < 2.9.4 - Authenticated(Editor+) SQL Injection
Published
2023-11-13
Title
Easy Newsletter Signups <= 1.0.4 - Admin+ SQLi
Published
2024-03-28
Title
CRM Perks Forms < 1.1.5 - Authenticated (Contributor+) SQL Injection
Published
2024-09-26
Title
Multi Step for Contact Form < 2.7.8 - Unauthenticated SQL Injection
Published
2025-05-30
Title
WP Guppy <= 4.3.3 - Authenticated (Subscriber+) SQL Injection