[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fcqEZM_XYwY_HocEa8ZFr8fFvDm1GVADhcbx8AUZza-k":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-8071","cleantalk-anti-spam-spam-firewall-bot-protection-unauthenticated-stored-cross-site-scripting","CleanTalk Anti-Spam. Spam Firewall & Bot protection \u003C 6.79 - Unauthenticated Stored Cross-Site Scripting","The CleanTalk Anti-Spam. Spam Firewall & Bot protection plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 6.79 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cleantalk-spam-protect",null,"\u003C6.79","6.79","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-11 00:00:00","2026-06-15 19:35:57",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5339024c-afcc-4fdc-a14b-056068ff2f5b?source=api-prod",5,[22,23,24,25,26,27,28,29],"cleantalk.php","inc\u002Fcleantalk-settings.php","js\u002Fapbct-public-bundle.min.js","js\u002Fapbct-public-bundle_ext-protection.min.js","js\u002Fapbct-public-bundle_ext-protection_gathering.min.js","js\u002Fapbct-public-bundle_full-protection.min.js","js\u002Fapbct-public-bundle_full-protection_gathering.min.js","js\u002Fapbct-public-bundle_gathering.min.js","researched",false,3,"# Exploitation Research Plan: CVE-2026-8071 (CleanTalk Anti-Spam Stored XSS)\n\n## 1. Vulnerability Summary\nThe **CleanTalk Anti-Spam** plugin for WordPress is vulnerable to **Unauthenticated Stored Cross-Site Scripting (XSS)** in versions prior to 6.79. The vulnerability exists because the plugin logs data from unauthenticated web requests (such as headers or request parameters) for security monitoring and spam analysis but fails to properly sanitize this data before storing it in the database and fails to escape it when displaying the logs in the WordPress admin dashboard.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** Any frontend page or the specific `admin-ajax.php` endpoint used for bot detection.\n- **Vulnerable Hook:** The plugin's Firewall components (`AntiCrawler`, `SFW`, `AntiFlood`) which execute during the `init` or `plugins_loaded` phase.\n- **Vulnerable Parameter:** The `User-Agent` HTTP header or the `ct_bot_detector_event_data` POST parameter (inferred from `APBCT_BOT_DETECTOR_SCRIPT_URL` and minified JS).\n- **Authentication Required:** None (Unauthenticated).\n- **Preconditions:** The \"Spam Firewall\" or \"Anti-Crawler\" feature must be enabled (often default or enabled during setup to provide protection).\n\n## 3. Code Flow\n1. **Entry Point:** An unauthenticated user sends a request to the WordPress site.\n2. **Initialization:** `cleantalk.php` initializes the global `$apbct` state and loads the Firewall modules.\n3. **Detection:** Classes like `Cleantalk\\ApbctWP\\Firewall\\AntiCrawler` or `Cleantalk\\ApbctWP\\Firewall\\SFW` process the request. If the request triggers a \"spam\" or \"bot\" signature (e.g., rapid requests or a suspicious `User-Agent`), the plugin prepares to log the event.\n4. **Data Collection:** The plugin retrieves the `User-Agent` via `Cleantalk\\ApbctWP\\Variables\\Server::get('HTTP_USER_AGENT')`.\n5. **Storage (Sink):** The data is stored in the database (typically in the `wp_cleantalk_sfw_logs` or `wp_cleantalk_logs` table) without sufficient sanitization.\n6. **Rendering (Sink):** An administrator navigates to the CleanTalk settings page (`options-general.php?page=cleantalk`). The plugin retrieves the logs via `apbct_settings__display` (in `inc\u002Fcleantalk-settings.php`) or an AJAX call to render the log table. The `User-Agent` is echoed directly into the HTML without `esc_html()` or `esc_attr()`.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability involves **Unauthenticated Injection**. The storage of the payload occurs when the plugin logs a \"suspicious\" request. Therefore, **no nonce is required** to perform the injection.\n\nHowever, to verify the XSS via a browser-based PoC, we must ensure the admin views the logs. If the log page uses AJAX to load entries, we can identify the nonce used for the admin-side log retrieval:\n1. **Navigate to:** `\u002Fwp-admin\u002Foptions-general.php?page=cleantalk`\n2. **Shortcode\u002FScript:** The plugin enqueues scripts using `wp_localize_script`.\n3. **JS Variable:** In the admin context, CleanTalk often uses `ctAdminCommon` or `apbctAdmin`.\n4. **Acquisition:**\n   ```javascript\n   \u002F\u002F In browser_eval:\n   window.ctAdminCommon?.nonce || window.apbctAdmin?.nonce\n   ```\n\n## 5. Exploitation Strategy\nThe goal is to inject a payload into the logs that will execute when an admin views the \"Spam Firewall\" logs.\n\n### Step 1: Trigger a Logged Event\nWe will send a request designed to be flagged as a bot or spam, carrying our payload in the `User-Agent` header.\n\n- **Tool:** `http_request`\n- **URL:** `https:\u002F\u002F\u003Ctarget>\u002F`\n- **Method:** `POST`\n- **Headers:**\n  - `User-Agent: \u003Cimg src=x onerror=\"alert('CVE-2026-8071_XSS')\">`\n  - `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:** `ct_checkjs=1&test_spam=1` (Standard parameters to ensure the plugin processes the request as a form submission).\n\n### Step 2: Trigger the Firewall (Alternative)\nIf the above doesn't log, we trigger the \"Anti-Crawler\" by hitting the site multiple times with the same payload until a block page appears.\n\n## 6. Test Data Setup\n1. **Plugin Configuration:**\n   - Install `cleantalk-spam-protect` version 6.78.\n   - Activate the plugin.\n   - Go to **Settings -> Anti-Spam** and ensure \"Spam Firewall\" and \"Anti-Crawler\" are enabled.\n   - Set a dummy API key if required (e.g., `111111111`).\n2. **Page Setup:** No specific shortcode is required for the *injection*, as the Firewall operates on all requests.\n\n## 7. Expected Results\n- The malicious `User-Agent` string is written to the `wp_cleantalk_sfw_logs` table.\n- When an admin visits `\u002Fwp-admin\u002Foptions-general.php?page=cleantalk` and clicks on the \"Logs\" or \"Spam Firewall\" tab, an alert box with `CVE-2026-8071_XSS` appears.\n\n## 8. Verification Steps\nAfter sending the `http_request`, use `wp_cli` to confirm storage:\n```bash\n# Check if the payload exists in the CleanTalk log tables\nwp db query \"SELECT * FROM wp_cleantalk_sfw_logs WHERE user_agent LIKE '%onerror%';\"\nwp db query \"SELECT * FROM wp_cleantalk_logs WHERE user_agent LIKE '%onerror%';\"\n```\n\nTo verify the lack of escaping in the output:\n```bash\n# Capture the admin settings page output (simulating an admin)\n# Search for the unescaped img tag\nwp eval 'include_once \"wp-admin\u002Fincludes\u002Fplugin.php\"; $_GET[\"page\"]=\"cleantalk\"; apbct_settings__display();' | grep \"onerror\"\n```\n\n## 9. Alternative Approaches\n- **Payload in Referer:** If `User-Agent` is sanitized, repeat the process using the `Referer` header.\n- **Request URL Injection:** Send a request to a URL containing the payload: `https:\u002F\u002F\u003Ctarget>\u002F?s=\u003Cscript>alert(1)\u003C\u002Fscript>`. Some versions of CleanTalk log the full request URI.\n- **Bot Detector AJAX:** If the public JS is active, use `browser_eval` to trigger the bot detector AJAX call (`apbct_email_check` or `ct_get_cookie`) with a malicious payload in the data object.","The CleanTalk Anti-Spam plugin is vulnerable to unauthenticated stored Cross-Site Scripting (XSS) due to the unsafe logging of request headers and parameters. An attacker can inject malicious scripts into logs by sending a specially crafted request that triggers the plugin's 'Spam Firewall' or 'Anti-Crawler' features, which then executes when an administrator views the logs in the dashboard.","\u002F\u002F In various Firewall components (AntiCrawler, SFW), the plugin collects request data\n\u002F\u002F such as the User-Agent without sufficient sanitization before storage.\n\u002F\u002F Path: Cleantalk\\ApbctWP\\Variables\\Server::get('HTTP_USER_AGENT')\n\n\u002F\u002F In the administration dashboard, the stored logs are rendered.\n\u002F\u002F The plugin fails to use esc_html() or esc_attr() when displaying collected metadata.\n\u002F\u002F File: inc\u002Fcleantalk-settings.php (logic within apbct_settings__display)\n\n\u002F\u002F Example of unsafe retrieval in the rendering logic:\n$ua = $log_entry['user_agent'];\necho \"\u003Ctd>\" . $ua . \"\u003C\u002Ftd>\"; \u002F\u002F Unsafe rendering of stored XSS payload","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcleantalk-spam-protect\u002F6.78\u002Fcleantalk.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcleantalk-spam-protect\u002F6.79\u002Fcleantalk.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcleantalk-spam-protect\u002F6.78\u002Fcleantalk.php\t2026-04-29 07:39:14.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcleantalk-spam-protect\u002F6.79\u002Fcleantalk.php\t2026-05-14 09:53:48.000000000 +0000\n@@ -4,7 +4,7 @@\n   Plugin Name: Anti-Spam by CleanTalk\n   Plugin URI: https:\u002F\u002Fcleantalk.org\n   Description: Max power, all-in-one, no Captcha, premium anti-spam plugin. No comment spam, no registration spam, no contact spam, protects any WordPress forms.\n-  Version: 6.78\n+  Version: 6.79\n   Author: CleanTalk - Anti-Spam Protection \u003Cwelcome@cleantalk.org>\n   Author URI: https:\u002F\u002Fcleantalk.org\n   Text Domain: cleantalk-spam-protect\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcleantalk-spam-protect\u002F6.78\u002Finc\u002Fcleantalk-settings.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcleantalk-spam-protect\u002F6.79\u002Finc\u002Fcleantalk-settings.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcleantalk-spam-protect\u002F6.78\u002Finc\u002Fcleantalk-settings.php\t2026-04-29 07:39:14.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcleantalk-spam-protect\u002F6.79\u002Finc\u002Fcleantalk-settings.php\t2026-05-14 09:53:48.000000000 +0000\n@@ -189,6 +189,28 @@\n                     ),\n                     'long_description' => true,\n                 ),\n+                'sfw__anti_crawler'           => array(\n+                    'type'        => 'checkbox',\n+                    'title'       => 'Anti-Crawler' . $additional_ac_title, \u002F\u002F Do not to localize this phrase\n+                    'class'       => 'apbct_settings-field_wrapper',\n+                    'parent'      => 'sfw__enabled',\n+                    'description' =>\n+                        __(\n+                            'Plugin shows SpamFireWall stop page for any bot, except allowed bots (Google, Yahoo and etc).',\n+                            'cleantalk-spam-protect'\n+                        )\n+                        . '\u003Cbr>'\n+                        . __(\n+                            'Anti-Crawler includes blocking bots by the User-Agent. Use Personal lists in the Dashboard to filter specific User-Agents.',\n+                            'cleantalk-spam-protect'\n+                        )\n+                        . '\u003Cbr>\u003Cb>'\n+                        . __(\n+                            'This option works only when SpamFireWall is enabled.',\n+                            'cleantalk-spam-protect'\n+                        ) . '\u003C\u002Fb>',\n+                    'long_description' => true,\n+                ),","The exploit is achieved by submitting an unauthenticated request that triggers the plugin's security logging mechanisms while carrying a payload in an HTTP header. \n\n1. Target the site with an HTTP POST request to any frontend page.\n2. Set the 'User-Agent' header to a JavaScript payload, such as: \u003Cimg src=x onerror=\"alert('XSS')\">.\n3. Include common parameters like 'test_spam=1' to ensure the request is analyzed by the Spam Firewall.\n4. If the request is flagged as a 'bot' or 'spam' event, the plugin stores the malicious User-Agent string in the 'wp_cleantalk_sfw_logs' database table.\n5. When an administrator later logs in and navigates to the 'Anti-Spam' settings page or the 'Spam Firewall' logs tab, the stored payload is rendered directly into the HTML table without escaping, triggering the script execution in the administrator's context.","gemini-3-flash-preview","2026-06-26 01:06:05","2026-06-26 01:07:19",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","6.78","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcleantalk-spam-protect\u002Ftags\u002F6.78","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcleantalk-spam-protect.6.78.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcleantalk-spam-protect\u002Ftags\u002F6.79","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcleantalk-spam-protect.6.79.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcleantalk-spam-protect\u002Ftags"]