A critical vulnerability in the “Security & Malware scan by CleanTalk” WordPress plugin has exposed over 30,000 websites to potential exploitation.
This flaw, identified as CVE-2024-13365 with a CVSS score of 9.8 (critical), allows unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution (RCE) on affected servers.
The vulnerability impacts all plugin versions up to and including 2.149.
Exploitation Details and Risks
The vulnerability arises from insufficient validation during the plugin’s malware scanning process.
Specifically, the checkUploadedArchive() function fails to adequately secure uploaded .zip archives, enabling attackers to introduce malicious files.
Once uploaded, these files are extracted into publicly accessible directories, allowing attackers to execute scripts and gain unauthorized access to the server.
This flaw is particularly dangerous because it does not require authentication, meaning any attacker can exploit it without needing login credentials.
Exploitation could result in complete site compromise, including data theft, malware injection, website defacement, or even server takeover.
Patch and Mitigation Timeline
The vulnerability was responsibly disclosed on December 7, 2024, by security researcher Lucio Sá through the Wordfence Bug Bounty Program.
Following verification and communication with the CleanTalk team on January 13, 2025, a patch was released on January 27, 2025 (version 2.150).
Wordfence Premium users received a firewall rule to block exploitation attempts on January 14, 2025, while free users gained access to this protection on February 13, 2025.
Website administrators using the CleanTalk plugin are urged to update immediately to version 2.150 or later.
Failure to do so leaves sites vulnerable to attacks that could result in severe operational and reputational damage.
For additional security:
- Implement a web application firewall (WAF) like Wordfence.
- Regularly update all plugins and themes.
- Restrict file upload permissions and validate file types rigorously.
- Monitor server logs for suspicious activity.
This incident underscores the importance of proactive vulnerability management and timely updates to mitigate risks in the dynamic cybersecurity landscape.
![Pinterest](https://pinterest.com/pin/create/button/?url=https://cyberpress.org/wordpress-plugin-arbitrary-file-upload-vulnerability/&media=https://i3.wp.com/blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1sfP_lP6lWO2Wrfyn9tWkFZ8qJtCvkngy0xcHTiuRLRsYbHRkCuQ3tFO7vRmZSILjtnyWl5GAKUth7AhGlobDr2C7RdRI1cKnecfdL1cDT_IlGVkjZEkyYCOTGABYD1f5t8oAXeG_B-eHOMTRgzf_wd56v2lGDKvpP-GR8PuX6KlQjTmQ9MuQva0MFmE/s16000/Wordpress.webp?w=1200&resize=1200,0&ssl=1&description=A critical vulnerability in the "Security & Malware scan by CleanTalk" WordPress plugin has exposed over 30,000 websites.){kind=link}