CVE-2019-17515

Name of the Vulnerable Software and Affected Versions cleantalk-spam-protect plugin versions prior to 5.127.4

Description The issue allows an attacker to execute arbitrary HTML and JavaScript code via the from or till parameter. This is possible when the Administrator is logged in and a reflected attack may execute upon a click on a malicious URL. The components affected are inc/cleantalk-users.php and inc/cleantalk-comments.php.

Recommendations For versions prior to 5.127.4, update to version 5.127.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the inc/cleantalk-users.php and inc/cleantalk-comments.php components to minimize the risk of exploitation. Avoid using the from or till parameter in affected URLs until the issue is resolved.