CVE-2024-13365
📋 TL;DR
The CleanTalk Security & Malware plugin for WordPress has a critical vulnerability allowing unauthenticated attackers to upload arbitrary files via ZIP archive scanning. This can lead to remote code execution on affected websites. All WordPress sites using CleanTalk plugin versions up to 2.149 are vulnerable.
💻 Affected Systems
- CleanTalk Security & Malware Firewall WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise via remote code execution, allowing attackers to install backdoors, steal data, deface websites, or use the server for further attacks.
Likely Case
Attackers upload web shells or malicious scripts to gain persistent access, install cryptocurrency miners, or deploy ransomware.
If Mitigated
If proper file upload restrictions and web application firewalls are in place, exploitation attempts would be blocked or detected.
🎯 Exploit Status
Exploitation requires no authentication and minimal technical skill due to public proof-of-concept details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.150
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3229205/security-malware-firewall#file527
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Security & Malware scan by CleanTalk'. 4. Click 'Update Now' if available, or manually update to version 2.150+. 5. Verify the plugin is active and functioning.
🔧 Temporary Workarounds
Disable CleanTalk Plugin
allTemporarily disable the vulnerable plugin until patching is possible.
wp plugin deactivate security-malware-firewall
Restrict ZIP Uploads via .htaccess
linuxBlock ZIP file uploads at the web server level for WordPress upload directories.
<Files *.zip>
Order Allow,Deny
Deny from all
</Files>
🧯 If You Can't Patch
- Immediately disable the CleanTalk plugin via WordPress admin or by renaming its directory.
- Implement a web application firewall (WAF) rule to block requests to the vulnerable checkUploadedArchive() function.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Security & Malware scan by CleanTalk' version 2.149 or lower.Check Version:
wp plugin get security-malware-firewall --field=versionVerify Fix Applied:
Confirm the plugin version is 2.150 or higher in WordPress admin, and test that ZIP file uploads through the plugin are properly validated.📡 Detection & Monitoring
Log Indicators:
- Unusual ZIP file uploads to WordPress upload directories
- HTTP POST requests to CleanTalk plugin endpoints with ZIP files
- Execution of unexpected PHP files in upload directories
Network Indicators:
- HTTP requests containing ZIP archives to /wp-content/plugins/security-malware-firewall/ endpoints
- Outbound connections from web server to unknown IPs after file uploads
SIEM Query:
source="web_server" AND (uri_path="/wp-content/plugins/security-malware-firewall/" AND method="POST" AND file_ext="zip")