Description
The ClearSale Total plugin for WordPress is vulnerable to SQL Injection via the `pagseguro[metodo]` POST parameter of the `clearsale_total_push` AJAX action in all versions up to, and including, 3.4.2. The handler is registered for unauthenticated users (`wp_ajax_nopriv_clearsale_total_push`), and although a `wp_verify_nonce()` check exists, the failing branch's `die()` is commented out so execution continues regardless of nonce validity. On PHP < 8.0 the attacker-supplied `$metodo` value bypasses the `switch ($metodo) { case 4: ... }` guard via loose type juggling (the string `"4 AND SLEEP(5)"` compares equal to integer `4`), reaching an unquoted `UPDATE wp_cs_total_dadosextras SET metodo=$metodo, ...` query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires the target server to be running PHP < 8.0.
Published: 2026-06-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ClearSale Total plugin for WordPress contains an unauthenticated SQL Injection flaw in the clearsale_total_push AJAX action. Unsanitized input from the pagseguro[metodo] POST parameter is UPDATE statement. The nonce verification exists but its failing branch is commented out, so the verification is effectively bypassed. On PHP versions prior to 8.0 a loose type comparison allows the string "4 AND SLEEP(5)" to match the integer 4, enabling an attacker to inject arbitrary SQL statements that can read, modify, or delete data in WordPress tables.

Affected Systems

WordPress sites running ClearSale Total plugin versions up to and including 3.4.2. The vulnerability is present only on installations using PHP 7.x or earlier, as newer PHP releases strengthen type comparison rules.

Risk and Exploitability

The flaw carries a CVSS score of 7.5, classifying it as high risk. The EPSS score is unavailable, and it is not listed in the CISA KEV catalog. The attack requires no special privileges; any unauthenticated user can submit would give an attacker the ability to execute arbitrary SQL, enabling data exfiltration or modification and potentially compromising the entire WordPress installation.

Generated by OpenCVE AI on June 24, 2026 at 09:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ClearSale Total to the latest release (greater than 3.4.2).
  • If an update is not immediately possible, block unauthenticated access to the clearsale_total_push AJAX action by customizing the plugin code or using a must‑use plugin to remove the action.
  • Upgrade the server to PHP 8.0 or newer, which prevents enables the injection.

Generated by OpenCVE AI on June 24, 2026 at 09:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The ClearSale Total plugin for WordPress is vulnerable to SQL Injection via the `pagseguro[metodo]` POST parameter of the `clearsale_total_push` AJAX action in all versions up to, and including, 3.4.2. The handler is registered for unauthenticated users (`wp_ajax_nopriv_clearsale_total_push`), and although a `wp_verify_nonce()` check exists, the failing branch's `die()` is commented out so execution continues regardless of nonce validity. On PHP < 8.0 the attacker-supplied `$metodo` value bypasses the `switch ($metodo) { case 4: ... }` guard via loose type juggling (the string `"4 AND SLEEP(5)"` compares equal to integer `4`), reaching an unquoted `UPDATE wp_cs_total_dadosextras SET metodo=$metodo, ...` query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires the target server to be running PHP < 8.0.
Title ClearSale Total <= 3.4.2 - Unauthenticated SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-24T12:14:02.929Z

Reserved: 2026-05-15T18:54:05.876Z

Link: CVE-2026-8705

cve-icon Vulnrichment

Updated: 2026-06-24T12:13:58.965Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T09:15:06Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')