The ClearSale Total plugin for WordPress is vulnerable to SQL Injection via the `pagseguro[metodo]` POST parameter in the `clearsale_total_push` AJAX action, which is accessible to unauthenticated users. Although a nonce verification function is present, its failure branch is disabled, allowing execution to continue regardless of nonce validity. On PHP versions below 8.0, loose type juggling causes the string "4 AND SLEEP(5)" to be treated as integer 4 in a switch statement, bypassing intended guards and leading to an unquoted SQL UPDATE query that incorporates attacker-controlled input. This enables attackers to append additional SQL commands, potentially extracting sensitive data from the database. The vulnerability affects all versions up to and including 3.4.2. Exploitation requires the server to run PHP versions earlier than 8.0.

An unauthenticated attacker can exploit this vulnerability to perform SQL Injection attacks, allowing them to execute arbitrary SQL commands on the backend database. This can lead to unauthorized disclosure of sensitive information. The vulnerability does not impact integrity or availability directly according to the CVSS vector, but confidentiality is rated high. Exploitation depends on the server running PHP versions below 8.0.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should consider upgrading PHP to version 8.0 or later, where the loose type juggling issue is resolved. Additionally, review and correct the nonce verification logic to ensure that failed nonce checks terminate execution properly. Avoid exposing the vulnerable AJAX action to unauthenticated users if possible.