via wordfence.com => original post link
Update – after this article was published, Denis Shagimuratov of CleanTalk reached out to us on Twitter. It appears that they didn’t receive our disclosure because our contact at the company was no longer the correct recipient for this type of issue.
On February 15, 2022, the Wordfence Threat Intelligence team finished research on two separate vulnerabilities in Spam protection, AntiSpam, FireWall by CleanTalk, a WordPress plugin with over 100,000 installations. These were both reflected Cross-Site scripting vulnerabilities which could be used for site takeover if an attacker could successfully trick a site administrator into performing an action, such as clicking a link.
We initially attempted to contact CleanTalk the same day via a method that we had previously used to successfully report vulnerabilities. After we did not receive a response for over a month, we contacted the WordPress plugins team on March 22, 2022. A patched version, 5.174.1, was made available on March 25, 2022.