CleanTalk is a WordPress plugin designed to protect websites from spam comments and registrations. One of the features it includes is the ability to check comments for spam and present the spammy comments for deletion.
Thanks to a quirk of how WordPress processes the page parameter and the default PHP request order, it is possible to use this parameter to perform a reflected cross-site scripting attack, which is almost identical to a vulnerability recently covered by the folks at WordFence.
The vulnerability can be used to execute JavaScript in the browser of a logged-in administrator, for instance, by tricking them into visiting a self-submitting form that sends a POST request to the site at wp-admin/edit-comments.php?page=ct_check_spam, with the $_POST[‘page’] parameter set to malicious JavaScript.
As with any Cross-Site Scripting vulnerability, executing JavaScript in an administrator’s session can be used to take over a site by adding a new malicious administrator or injecting a backdoor, among other potential methods.
A patched version was released on March 25th and installed on all our clients’ websites the same day.