cbcvebase.
CVE-2021-24295
published 2021-05-17

CVE-2021-24295: It was possible to exploit an Unauthenticated Time-Based Blind SQL Injection vulnerability in the Spam protection, AntiSpam, FireWall by CleanTalk WordPress…

PriorityP276high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.69%
90.7th percentile
It was possible to exploit an Unauthenticated Time-Based Blind SQL Injection vulnerability in the Spam protection, AntiSpam, FireWall by CleanTalk WordPress Plugin before 5.153.4. The update_log function in lib/Cleantalk/ApbctWP/Firewall/SFW.php included a vulnerable query that could be injected via the User-Agent Header by manipulating the cookies set by the Spam protection, AntiSpam, FireWall by CleanTalk WordPress plugin before 5.153.4, sending an initial request to obtain a ct_sfw_pass_key cookie and then manually setting a separate ct_sfw_passed cookie and disallowing it from being reset.

Affected

1 ranges
VendorProductVersion rangeFixed in
cleantalkspam_protection_antispam_firewall< 5.153.45.153.4

Detection & IOCsextracted from sources · hover to see the quote

cookiect_sfw_pass_key
cookiect_sfw_passed
path/wp-content/plugins/cleantalk-spam-protect/readme.txt
pathlib/Cleantalk/ApbctWP/Firewall/SFW.php
  • Probe for vulnerable plugin version by fetching the readme.txt and extracting the 'Stable tag' version field; flag if version is < 5.153.4 and body contains 'Spam protection'.
  • Monitor HTTP requests where the User-Agent header contains SQL injection payloads (e.g., time-based SLEEP/BENCHMARK constructs) in combination with the presence of ct_sfw_pass_key and ct_sfw_passed cookies, indicating exploitation of the update_log blind SQLi vector.
  • Flag requests that carry a manually set ct_sfw_passed cookie while the ct_sfw_pass_key cookie is also present; this two-cookie pattern is the prerequisite for triggering the vulnerable code path.
  • Use the FOFA query 'body="/plugin/cleantalk-spam-protect/"' to identify internet-exposed WordPress instances running the vulnerable CleanTalk plugin for targeted scanning.
  • ·The SQL injection is unauthenticated and time-based blind; exploitation requires a two-step cookie manipulation — first obtaining ct_sfw_pass_key via a normal request, then manually injecting ct_sfw_passed to prevent it from being reset before the payload fires.
  • ·The nuclei template uses a passive/version-check approach (readme.txt + Stable tag regex) rather than active exploitation; it will only flag instances where the plugin readme is publicly readable.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.