The Wordfence Threat Intelligence Team recently revealed the details of a SQL injection flaw in the CleanTalk Spam Protect plugin which is installed on over 100,000 WordPress websites!
On March 4, 2021, the WordFence Team contacted the plugin’s developer and submitted the full disclosure on March 5, 2021. On March 10, 2021, a patched version of the plugin, version 5.153.4, was released.
Vulnerability: Without logging into the site, this vulnerability may be used to collect sensitive information from the database, such as user emails and password hashes.
The Wordfence Threat Intelligence Team has just disclosed the details of a SQL injection vulnerability in Spam protection, AntiSpam, FireWall by CleanTalk, a plugin installed on more than 100,000 WordPress sites. https://t.co/Uy6uFPSc4y— Wordfence (@wordfence) May 3, 2021
This vulnerability was fixed in version 5.153.4, and we highly recommend you to update to the most recent version of the plugin, which is 5.156 as of this writing.