ClearSale Total <= 3.4.2 - Unauthenticated SQL Injection
Description
The ClearSale Total plugin for WordPress is vulnerable to SQL Injection via the pagseguro[metodo] POST parameter of the clearsale_total_push AJAX action in all versions up to, and including, 3.4.2. The handler is registered for unauthenticated users (wp_ajax_nopriv_clearsale_total_push), and although a wp_verify_nonce() check exists, the failing branch's die() is commented out so execution continues regardless of nonce validity. On PHP < 8.0 the attacker-supplied $metodo value bypasses the switch ($metodo) { case 4: ... } guard via loose type juggling (the string "4 AND SLEEP(5)" compares equal to integer 4), reaching an unquoted UPDATE wp_cs_total_dadosextras SET metodo=$metodo, ... query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires the target server to be running PHP < 8.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <=3.4.2
Patches
Vulnerability mechanics
Root cause
"Missing input validation and a commented-out `die()` after nonce failure allow unauthenticated SQL injection via loose type juggling on PHP < 8.0."
Attack vector
An unauthenticated attacker sends a POST request to the WordPress AJAX endpoint with the action `clearsale_total_push` and a crafted `pagseguro[metodo]` parameter. Although the handler calls `wp_verify_nonce()`, the failing branch's `die()` is commented out, so execution continues regardless of nonce validity. On PHP < 8.0, the attacker-supplied string (e.g., `"4 AND SLEEP(5)"`) bypasses the `switch ($metodo)` guard via loose type juggling, because the string compares equal to integer `4`. The value is then interpolated directly into an unquoted `UPDATE wp_cs_total_dadosextras SET metodo=$metodo, ...` query, enabling SQL injection [CWE-89] [ref_id=2].
Affected code
The vulnerability resides in the `clearsale_total_push` AJAX handler within `class-clearsale-total-ajax.php`. The handler is registered for both authenticated and unauthenticated users via `wp_ajax_nopriv_clearsale_total_push` and `wp_ajax_clearsale_total_push`. The `pagseguro[metodo]` POST parameter is used unsafely in a SQL query after a nonce check that fails silently (the `die()` call is commented out).
What the fix does
The advisory does not include a published patch. The recommended remediation is to ensure the `pagseguro[metodo]` value is validated as an integer before being used in the SQL query, to restore the `die()` call in the nonce verification failure branch, and to use prepared statements or proper quoting for all database queries. Without these changes, the vulnerability remains exploitable on PHP < 8.0.
Preconditions
- configTarget server must be running PHP < 8.0 for loose type juggling to bypass the switch guard
- networkThe WordPress AJAX endpoint must be accessible (no additional authentication required)
- authThe attacker does not need any WordPress user account; the handler is registered for unauthenticated users
- inputThe attacker supplies a crafted `pagseguro[metodo]` POST parameter containing SQL injection payload
Generated on Jun 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- plugins.trac.wordpress.org/browser/clearsale-total/tags/3.3.2/includes/class-clearsale-total-ajax.phpmitre
- plugins.trac.wordpress.org/browser/clearsale-total/tags/3.4.2/includes/class-clearsale-total-ajax.phpmitre
- plugins.trac.wordpress.org/browser/clearsale-total/trunk/includes/class-clearsale-total-ajax.phpmitre
- plugins.trac.wordpress.org/browser/clearsale-total/trunk/includes/class-clearsale-total-ajax.phpmitre
- plugins.trac.wordpress.org/browser/clearsale-total/trunk/includes/class-clearsale-total.phpmitre
- www.wordfence.com/threat-intel/vulnerabilities/id/871f6611-3b5e-4e36-992c-726b31e88c95mitre
News mentions
0No linked articles in our index yet.