CVE-2024-13365
Published: 12 February 2025
Description
The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to arbitrary file uploads due to the plugin uploading and extracting .zip archives when scanning them for malware through the checkUploadedArchive() function in all versions up to, and including, 2.149. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Security Summary
CVE-2024-13365 is an arbitrary file upload vulnerability in the Security & Malware scan by CleanTalk plugin for WordPress. The issue stems from the checkUploadedArchive() function, which uploads and extracts .zip archives during malware scanning without sufficient validation. This affects all versions of the plugin up to and including 2.149.
Unauthenticated attackers can exploit the vulnerability remotely with low complexity and no user interaction or privileges required. By submitting malicious .zip archives, they can upload arbitrary files to the affected WordPress site's server, potentially enabling remote code execution. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).
Mitigation details are provided in advisories from Wordfence and a patch in WordPress plugins trac changeset 3229205 for the security-malware-firewall plugin. Security practitioners should update to a patched version beyond 2.149 to address the issue.
Details
- CWE(s)