SQL Injection Vulnerability in ClearSale Total Plugin for WordPress
CVE-2026-8705

7.5HIGH

Key Information:

Vendor: WordPress
Status: Clearsale Total
Vendor: CVE Published:; 24 June 2026

What is CVE-2026-8705?

The ClearSale Total plugin for WordPress is susceptible to SQL Injection via the pagseguro[metodo] POST parameter in the clearsale_total_push AJAX action, affecting all versions up to and including 3.4.2. This vulnerability permits unauthenticated attackers to send crafted input that exploits type juggling, ultimately allowing them to execute arbitrary SQL commands. Although there is a nonce check implemented, its failure does not terminate the process due to a commented-out conditional statement, which means attackers can bypass this protection and manipulate database queries. Successful exploitation, notably on servers running PHP versions prior to 8.0, can lead to severe data breaches by extracting sensitive information from the database.

Affected Version(s)

ClearSale Total <= 3.4.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/clearsale-tota...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2026
Vulnerability Reserved
May 15, 2026

Credit

Catalin Oancea

CVE-2026-8705 Data

JSON