Skip to main content

ClearSale Total EUVDEUVD-2026-38672

| CVE-2026-8705 HIGH
SQL Injection (CWE-89)
2026-06-24 Wordfence GHSA-58pf-7c32-vjf7
7.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.9 MEDIUM

Network unauthenticated, but AC:H because exploitation requires the target to run PHP < 8.0; impact limited to confidentiality via data exfiltration from UPDATE-based SQLi.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 24, 2026 - 06:52 vuln.today
CVE Published
Jun 24, 2026 - 05:33 cve.org
HIGH 7.5

DescriptionCVE.org

The ClearSale Total plugin for WordPress is vulnerable to SQL Injection via the pagseguro[metodo] POST parameter of the clearsale_total_push AJAX action in all versions up to, and including, 3.4.2. The handler is registered for unauthenticated users (wp_ajax_nopriv_clearsale_total_push), and although a wp_verify_nonce() check exists, the failing branch's die() is commented out so execution continues regardless of nonce validity. On PHP < 8.0 the attacker-supplied $metodo value bypasses the switch ($metodo) { case 4: ... } guard via loose type juggling (the string "4 AND SLEEP(5)" compares equal to integer 4), reaching an unquoted UPDATE wp_cs_total_dadosextras SET metodo=$metodo, ... query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires the target server to be running PHP < 8.0.

AnalysisAI

Unauthenticated SQL injection in the ClearSale Total WordPress plugin (all versions through 3.4.2) allows remote attackers to extract sensitive database contents via the pagseguro[metodo] POST parameter of the clearsale_total_push AJAX action. The flaw is reachable without authentication because the nopriv AJAX handler ships with a commented-out die() in the nonce-failure branch, and on PHP < 8.0 loose type juggling bypasses the switch/case integer guard. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify WordPress site running ClearSale Total on PHP 7.x
Delivery
Craft POST to admin-ajax.php with action=clearsale_total_push
Exploit
Supply pagseguro[metodo]=4 AND <SQL payload>
Install
Bypass nonce check via missing die()
C2
Bypass switch guard via type juggling
Execute
Inject into unquoted UPDATE query
Impact
Exfiltrate database contents via boolean/time-based inference

Vulnerability AssessmentAI

Exploitation Target must be a WordPress site running the ClearSale Total plugin at version 3.4.2 or earlier with the clearsale_total_push AJAX action registered (default install behavior - it uses wp_ajax_nopriv_ so no login is required). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N) reflecting unauthenticated network exploitation with low complexity, but impact is constrained to confidentiality (C:H/I:N/A:N) - consistent with a read-oriented SQLi used for data exfiltration rather than full database write or RCE pivot. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted POST to /wp-admin/admin-ajax.php with action=clearsale_total_push and a pagseguro[metodo] value such as '4 AND (SELECT SLEEP(5))' or a UNION-based payload, omitting or supplying any nonce value. Because the nonce-failure die() is commented out and PHP 7.x loose equality matches the string against case 4, the payload reaches the unquoted UPDATE query and exfiltrates wp_users password hashes, session tokens, or other sensitive table contents via boolean/time-based inference. …
Remediation No vendor-released patch identified at time of analysis - version 3.4.2 (the latest as of this advisory) is still vulnerable, so site operators should deactivate and remove the ClearSale Total plugin until a fixed release is published by the vendor or replace it with an alternative anti-fraud integration. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all WordPress installations running ClearSale Total plugin; disable the plugin immediately if non-critical, or apply database access restrictions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in PHP

View all
CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2025-47916 CRITICAL POC
10.0 May 16

Invision Community 5.0.0 through 5.0.6 contains an unauthenticated remote code execution vulnerability in the template e

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2025-24367 HIGH POC
8.7 Jan 27

Cacti monitoring platform prior to version 1.2.29 allows authenticated users to achieve remote code execution through th

CVE-2025-3102 HIGH POC
8.1 Apr 10

The SureTriggers WordPress plugin through version 1.0.78 contains an authentication bypass due to a missing empty value

CVE-2025-1661 CRITICAL POC
9.8 Mar 11

The HUSKY Products Filter Professional for WooCommerce plugin through version 1.3.6.5 contains a critical Local File Inc

CVE-2025-2563 HIGH POC
8.1 Apr 14

The User Registration & Membership WordPress plugin before version 4.1.2 fails to prevent users from setting their accou

CVE-2025-13486 CRITICAL POC
9.8 Dec 03

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 thr

CVE-2023-6933 HIGH POC
8.8 Feb 05

PHP Object Injection in the Better Search Replace WordPress plugin (versions up to and including 1.4.4) allows remote un

Share

EUVD-2026-38672 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy