CleanTalk is a WordPress plugin designed to protect websites from spam comments and registrations. One of the features it includes is the ability to check comments for spam and present the spammy comments for deletion.
Thanks to a quirk of how WordPress processes the page parameter and the default PHP request order, it is possible to use this parameter to perform a reflected cross-site scripting attack, which is almost identical to a vulnerability recently covered by the folks at WordFence.
wp-admin/edit-comments.php?page=ct_check_spam, with the
A patched version was released on March 25th and installed on all our clients’ websites the same day.