cleantalk
Vulnerabilities and Security Researches

Spam protection, Anti-Spam, FireWall by CleanTalk, CVE-2021-24295

CVE, Research URL

CVE-2021-24295

Home page URL

Security reports for Spam protection, Anti-Spam, FireWall by CleanTalk

Application

Spam protection, Anti-Spam, FireWall by CleanTalk

Published on
May 17, 2021
Research Description
It was possible to exploit an Unauthenticated Time-Based Blind SQL Injection vulnerability in the Spam protection, AntiSpam, FireWall by CleanTalk WordPress Plugin before 5.153.4. The update_log function in lib/Cleantalk/ApbctWP/Firewall/SFW.php included a vulnerable query that could be injected via the User-Agent Header by manipulating the cookies set by the Spam protection, AntiSpam, FireWall by CleanTalk WordPress plugin before 5.153.4, sending an initial request to obtain a ct_sfw_pass_key cookie and then manually setting a separate ct_sfw_passed cookie and disallowing it from being reset.
Affected versions
max 5.153.4.
Status
vulnerable
Previous vulnerability researches
Spam protection, Anti-Spam, FireWall by CleanTalk (CVE-2024-10542) , Nov 26, 2024
Spam protection, Anti-Spam, FireWall by CleanTalk (CVE-2024-10781) , Nov 26, 2024
Spam protection, Anti-Spam, FireWall by CleanTalk , Aug 02, 2024
Spam protection, Anti-Spam, FireWall by CleanTalk (CVE-2026-8071) , Jun 11, 2026
Spam protection, Anti-Spam, FireWall by CleanTalk (CVE-2021-24295) , Jun 07, 2024
New vulnerability
Yoast Duplicate Post (CVE-2026-53740) , Jun 11, 2026
Yoast Duplicate Post (CVE-2026-53739) , Jun 11, 2026
Juicer.io: Effortlessly embed, curate, and aggregate social media feeds into your website (CVE-2026-53737) , Jun 11, 2026
UpdraftPlus: WordPress Backup & Migration Plugin (CVE-2026-10795) , Jun 11, 2026
Plugin Name: ePaperFlip Publisher (CVE-2026-7662) , Jun 11, 2026