Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Network unauthenticated, but AC:H because exploitation requires the target to run PHP < 8.0; impact limited to confidentiality via data exfiltration from UPDATE-based SQLi.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The ClearSale Total plugin for WordPress is vulnerable to SQL Injection via the pagseguro[metodo] POST parameter of the clearsale_total_push AJAX action in all versions up to, and including, 3.4.2. The handler is registered for unauthenticated users (wp_ajax_nopriv_clearsale_total_push), and although a wp_verify_nonce() check exists, the failing branch's die() is commented out so execution continues regardless of nonce validity. On PHP < 8.0 the attacker-supplied $metodo value bypasses the switch ($metodo) { case 4: ... } guard via loose type juggling (the string "4 AND SLEEP(5)" compares equal to integer 4), reaching an unquoted UPDATE wp_cs_total_dadosextras SET metodo=$metodo, ... query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires the target server to be running PHP < 8.0.
Articles & Coverage 2
AnalysisAI
Unauthenticated SQL injection in the ClearSale Total WordPress plugin (all versions through 3.4.2) allows remote attackers to extract sensitive database contents via the pagseguro[metodo] POST parameter of the clearsale_total_push AJAX action. The flaw is reachable without authentication because the nopriv AJAX handler ships with a commented-out die() in the nonce-failure branch, and on PHP < 8.0 loose type juggling bypasses the switch/case integer guard. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Target must be a WordPress site running the ClearSale Total plugin at version 3.4.2 or earlier with the clearsale_total_push AJAX action registered (default install behavior - it uses wp_ajax_nopriv_ so no login is required). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N) reflecting unauthenticated network exploitation with low complexity, but impact is constrained to confidentiality (C:H/I:N/A:N) - consistent with a read-oriented SQLi used for data exfiltration rather than full database write or RCE pivot. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a crafted POST to /wp-admin/admin-ajax.php with action=clearsale_total_push and a pagseguro[metodo] value such as '4 AND (SELECT SLEEP(5))' or a UNION-based payload, omitting or supplying any nonce value. Because the nonce-failure die() is commented out and PHP 7.x loose equality matches the string against case 4, the payload reaches the unquoted UPDATE query and exfiltrates wp_users password hashes, session tokens, or other sensitive table contents via boolean/time-based inference. … |
| Remediation | No vendor-released patch identified at time of analysis - version 3.4.2 (the latest as of this advisory) is still vulnerable, so site operators should deactivate and remove the ClearSale Total plugin until a fixed release is published by the vendor or replace it with an alternative anti-fraud integration. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all WordPress installations running ClearSale Total plugin; disable the plugin immediately if non-critical, or apply database access restrictions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
Invision Community 5.0.0 through 5.0.6 contains an unauthenticated remote code execution vulnerability in the template e
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
Cacti monitoring platform prior to version 1.2.29 allows authenticated users to achieve remote code execution through th
The SureTriggers WordPress plugin through version 1.0.78 contains an authentication bypass due to a missing empty value
The HUSKY Products Filter Professional for WooCommerce plugin through version 1.3.6.5 contains a critical Local File Inc
The User Registration & Membership WordPress plugin before version 4.1.2 fails to prevent users from setting their accou
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 thr
PHP Object Injection in the Better Search Replace WordPress plugin (versions up to and including 1.4.4) allows remote un
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38672
GHSA-58pf-7c32-vjf7