A critical arbitrary file upload vulnerability has been discovered in the Security & Malware scan by CleanTalk plugin for WordPress, potentially putting over 30,000 websites at risk of complete compromise. This vulnerability, tracked as CVE-2024-13365 and assigned a CVSS score of 9.8, could allow unauthenticated attackers to upload malicious files and execute code on vulnerable servers.
The vulnerability stems from a flaw in the plugin’s file upload checker, which fails to properly validate user-supplied data when scanning ZIP archives for malware. This allows attackers to bypass authentication and upload arbitrary files, including malicious scripts that could grant them control over the server.
“The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to arbitrary file uploads due to the plugin uploading and extracting .zip archives when scanning them for malware through the checkUploadedArchive() function in all versions up to, and including, 2.149,” the Wordfence report explains.
This vulnerability is particularly concerning because it can be exploited even if unauthenticated users are not normally allowed to upload files. Attackers could potentially upload a large ZIP file containing a malicious PHP file hidden among thousands of innocuous files, effectively overwhelming the server’s resources and allowing the malicious file to be executed.
Wordfence, a leading WordPress security firm, discovered the vulnerability through its bug bounty program. Security researcher Lucio Sá responsibly reported the flaw and was awarded a bounty of $1,716.00 for their contribution.
CleanTalk has released version 2.150 of the plugin to address the CVE-2024-13365 vulnerability. All users of the Security & Malware scan by CleanTalk plugin are strongly urged to update to the latest version as soon as possible to protect their websites from potential attacks.
