CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2022-28222 – CleanTalk AntiSpam <= 5.173 Reflected XSS
https://notcve.org/view.php?id=CVE-2022-28222
30 Mar 2022 — The CleanTalk AntiSpam plugin <= 5.173 for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) via the $_REQUEST['page'] parameter in`/lib/Cleantalk/ApbctWP/FindSpam/ListTable/Users.php` El plugin CleanTalk AntiSpam versiones anteriores a 5.173 incluyéndola para WordPress, es vulnerable a un ataque de tipo Cross-Site Scripting Reflejado (XSS) por medio del parámetro $_REQUEST["page"] en "/lib/Cleantalk/ApbctWP/FindSpam/ListTable/Users.php" The CleanTalk AntiSpam plugin <= 5.173 for WordPress is ... • https://packetstorm.news/files/id/166542 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24295 – Time-based Blind SQL Injection in Spam protection, AntiSpam, FireWall by CleanTalk < 5.153.4
https://notcve.org/view.php?id=CVE-2021-24295
05 Mar 2021 — It was possible to exploit an Unauthenticated Time-Based Blind SQL Injection vulnerability in the Spam protection, AntiSpam, FireWall by CleanTalk WordPress Plugin before 5.153.4. The update_log function in lib/Cleantalk/ApbctWP/Firewall/SFW.php included a vulnerable query that could be injected via the User-Agent Header by manipulating the cookies set by the Spam protection, AntiSpam, FireWall by CleanTalk WordPress plugin before 5.153.4, sending an initial request to obtain a ct_sfw_pass_key cookie and th... • https://wpscan.com/vulnerability/152171fc-888c-4275-a118-5a1e664ef28b • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24131 – Anti-Spam by CleanTalk < 5.149 - Multiple Authenticated SQL Injections
https://notcve.org/view.php?id=CVE-2021-24131
20 Nov 2020 — Unvalidated input in the Anti-Spam by CleanTalk WordPress plugin, versions before 5.149, lead to multiple authenticated SQL injection vulnerabilities, however, it requires high privilege user (admin+). Una entrada no comprobada en Anti-Spam del plugin de WordPress CleanTalk, versiones anteriores a 5.149, conlleva a múltiples vulnerabilidades de inyección SQL autenticadas, sin embargo, requiere un usuario muy privilegiado (admin+) • https://wpscan.com/vulnerability/1bc28021-28c0-43fa-b89e-6b93c345e5d8 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2020-36698 – Security & Malware scan by CleanTalk <= 2.50 - Missing Authorization
https://notcve.org/view.php?id=CVE-2020-36698
06 Jul 2020 — The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to unauthorized user interaction in versions up to, and including, 2.50. This is due to missing capability checks on several AJAX actions and nonce disclosure in the source page of the administrative dashboard. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to call functions and delete and/or upload files. El análisis de Seguridad y Malware del complemento CleanTalk para WordPress es... • https://blog.nintechnet.com/multiple-vulnerabilities-fixed-in-security-malware-scan-by-cleantalk-plugin • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-17515 – Spam protection, AntiSpam, FireWall by CleanTalk <= 5.127.3 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-17515
12 Nov 2019 — The CleanTalk cleantalk-spam-protect plugin before 5.127.4 for WordPress is affected by: Cross Site Scripting (XSS). The impact is: Allows an attacker to execute arbitrary HTML and JavaScript code via the from or till parameter. The component is: inc/cleantalk-users.php and inc/cleantalk-comments.php. The attack vector is: When the Administrator is logged in, a reflected XSS may execute upon a click on a malicious URL. El plugin CleanTalk cleantalk-spam-protect versiones anteriores a la versión 5.127.4 para... • https://plugins.trac.wordpress.org/changeset/2172333 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •