CVE-2023-5239 – The CleanTalk Security & Malware Scan WordPress... (How to Fix)

Q: What is the severity of CVE-2023-5239?

CVE-2023-5239 has a CVSS score of 7.5 (HIGH). The CleanTalk Security & Malware Scan WordPress plugin before version 2.121 improperly trusts HTTP headers for client IP addresses, allowing attackers to spoof their IP. This can bypass brute-force protection mechanisms, potentially enabling unlimited login attempts. WordPress sites using vulnerable plugin versions are affected.

📋 TL;DR

The CleanTalk Security & Malware Scan WordPress plugin before version 2.121 improperly trusts HTTP headers for client IP addresses, allowing attackers to spoof their IP. This can bypass brute-force protection mechanisms, potentially enabling unlimited login attempts. WordPress sites using vulnerable plugin versions are affected.

💻 Affected Systems

Products:

CleanTalk Security & Malware Scan WordPress Plugin

Versions: Versions before 2.121

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with the vulnerable plugin enabled.

📦 What is this software?

Security \& Malware Scan by Cleantalk

View all CVEs affecting Security \& Malware Scan →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers bypass brute-force protection to conduct unlimited login attempts, potentially compromising administrator accounts and taking full control of the WordPress site.

🟠

Likely Case

Attackers bypass login rate-limiting to conduct credential stuffing attacks, increasing the chance of successful account compromise.

🟢

If Mitigated

With proper IP validation and rate-limiting at the web server level, attackers cannot bypass authentication protections.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted HTTP headers to spoof IP addresses.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.121

Vendor Advisory: https://wordpress.org/plugins/security-malware-firewall/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Security & Malware scan by CleanTalk' and click 'Update Now'. 4. Verify plugin version is 2.121 or higher.

🔧 Temporary Workarounds

Disable Plugin

linux

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate security-malware-firewall

Web Server IP Validation

all

Configure web server to validate and sanitize client IP addresses before passing to WordPress.

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to detect and block IP spoofing attempts
Enable additional authentication protections like two-factor authentication

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for 'Security & Malware scan by CleanTalk' version below 2.121.

Check Version:

wp plugin get security-malware-firewall --field=version

Verify Fix Applied:

Confirm plugin version is 2.121 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts from same spoofed IP
Unusual HTTP headers like X-Forwarded-For with suspicious values

Network Indicators:

HTTP requests with manipulated IP headers to login endpoints

SIEM Query:

source="wordpress.log" AND ("wp-login.php" OR "xmlrpc.php") AND ("X-Forwarded-For" OR "Client-IP")

📊 Metadata

CVE ID: CVE-2023-5239

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Published: November 27, 2023

Last Updated: November 21, 2024

🔗 References

https://wpscan.com/vulnerability/1d748f91-773b-49d6-8f68-a27d397713c3 Exploit,Third Party Advisory
https://wpscan.com/vulnerability/1d748f91-773b-49d6-8f68-a27d397713c3 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON