CVE-2021-24295
published 2021-05-17CVE-2021-24295: It was possible to exploit an Unauthenticated Time-Based Blind SQL Injection vulnerability in the Spam protection, AntiSpam, FireWall by CleanTalk WordPress…
PriorityP276high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.69%
90.7th percentile
It was possible to exploit an Unauthenticated Time-Based Blind SQL Injection vulnerability in the Spam protection, AntiSpam, FireWall by CleanTalk WordPress Plugin before 5.153.4. The update_log function in lib/Cleantalk/ApbctWP/Firewall/SFW.php included a vulnerable query that could be injected via the User-Agent Header by manipulating the cookies set by the Spam protection, AntiSpam, FireWall by CleanTalk WordPress plugin before 5.153.4, sending an initial request to obtain a ct_sfw_pass_key cookie and then manually setting a separate ct_sfw_passed cookie and disallowing it from being reset.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cleantalk | spam_protection_antispam_firewall | < 5.153.4 | 5.153.4 |
Detection & IOCsextracted from sources · hover to see the quote
path/wp-content/plugins/cleantalk-spam-protect/readme.txt
- →Probe for vulnerable plugin version by fetching the readme.txt and extracting the 'Stable tag' version field; flag if version is < 5.153.4 and body contains 'Spam protection'.
- →Monitor HTTP requests where the User-Agent header contains SQL injection payloads (e.g., time-based SLEEP/BENCHMARK constructs) in combination with the presence of ct_sfw_pass_key and ct_sfw_passed cookies, indicating exploitation of the update_log blind SQLi vector. ↗
- →Flag requests that carry a manually set ct_sfw_passed cookie while the ct_sfw_pass_key cookie is also present; this two-cookie pattern is the prerequisite for triggering the vulnerable code path. ↗
- →Use the FOFA query 'body="/plugin/cleantalk-spam-protect/"' to identify internet-exposed WordPress instances running the vulnerable CleanTalk plugin for targeted scanning.
- ·The SQL injection is unauthenticated and time-based blind; exploitation requires a two-step cookie manipulation — first obtaining ct_sfw_pass_key via a normal request, then manually injecting ct_sfw_passed to prevent it from being reset before the payload fires. ↗
- ·The nuclei template uses a passive/version-check approach (readme.txt + Stable tag regex) rather than active exploitation; it will only flag instances where the plugin readme is publicly readable.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3897-7ph5-mf8c: It was possible to exploit an Unauthenticated Time-Based Blind SQL Injection vulnerability in the Spam protection, AntiSpam, FireWall by CleanTalk Wor
ghsa_unreviewed·2022-05-24
CVE-2021-24295 [HIGH] CWE-89 GHSA-3897-7ph5-mf8c: It was possible to exploit an Unauthenticated Time-Based Blind SQL Injection vulnerability in the Spam protection, AntiSpam, FireWall by CleanTalk Wor
It was possible to exploit an Unauthenticated Time-Based Blind SQL Injection vulnerability in the Spam protection, AntiSpam, FireWall by CleanTalk WordPress Plugin before 5.153.4. The update_log function in lib/Cleantalk/ApbctWP/Firewall/SFW.php included a vulnerable query that could be injected via the User-Agent Header by manipulating the cookies set by the Spam protection, AntiSpam, FireWall by CleanTalk WordPress plugin before 5.153.4, sending an initial request to obtain a ct_sfw_pass_key cookie and then manually setting a separate ct_sfw_passed cookie and disallowing it from being reset.
VulnCheck
cleantalk spam_protection\,_antispam\,_firewall Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2021·CVSS 7.5
CVE-2021-24295 [HIGH] cleantalk spam_protection\,_antispam\,_firewall Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
cleantalk spam_protection\,_antispam\,_firewall Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
It was possible to exploit an Unauthenticated Time-Based Blind SQL Injection vulnerability in the Spam protection, AntiSpam, FireWall by CleanTalk WordPress Plugin before 5.153.4. The update_log function in lib/Cleantalk/ApbctWP/Firewall/SFW.php included a vulnerable query that could be injected via the User-Agent Header by manipulating the cookies set by the Spam protection, AntiSpam, FireWall by CleanTalk WordPress plugin before 5.153.4, sending an initial request to obtain a ct_sfw_pass_key cookie and then manually setting a separate ct_sfw_passed cookie and disallowing it from being reset.
Affected: cleantalk spam_protection\,_antispam\,_firewall
Requi
No detection rules found.
Nuclei
Spam protection, AntiSpam, FireWall by CleanTalk < 5.153.4 - Unauthenticated Blind SQL Injection
nuclei·CVSS 7.5
CVE-2021-24295 [HIGH] Spam protection, AntiSpam, FireWall by CleanTalk < 5.153.4 - Unauthenticated Blind SQL Injection
Spam protection, AntiSpam, FireWall by CleanTalk < 5.153.4 - Unauthenticated Blind SQL Injection
It was possible to exploit an Unauthenticated Time-Based Blind SQL Injection vulnerability in the Spam protection, AntiSpam, FireWall by CleanTalk WordPress Plugin before 5.153.4. The update_log function in lib/Cleantalk/ApbctWP/Firewall/SFW.php included a vulnerable query that could be injected via the User-Agent Header by manipulating the cookies set by the Spam protection, AntiSpam, FireWall by CleanTalk WordPress plugin before 5.153.4, sending an initial request to obtain a ct_sfw_pass_key cookie and then manually setting a separate ct_sfw_passed cookie and disallowing it from being reset.
Template:
id: CVE-2021-24295
info:
name: Spam protection, AntiSpam, FireWall by CleanTalk < 5.153.
No writeups or analysis indexed.
https://wpscan.com/vulnerability/152171fc-888c-4275-a118-5a1e664ef28bhttps://www.wordfence.com/blog/2021/05/sql-injection-vulnerability-patched-in-cleantalk-antispam-plugin/https://wpscan.com/vulnerability/152171fc-888c-4275-a118-5a1e664ef28bhttps://www.wordfence.com/blog/2021/05/sql-injection-vulnerability-patched-in-cleantalk-antispam-plugin/
2021-05-17
Published
Exploited in the wild