CVE-2024-8252 – The Clean Login WordPress plugin has a Local Fi... (How to Fix)

Q: What is the severity of CVE-2024-8252?

CVE-2024-8252 has a CVSS score of 8.8 (HIGH). The Clean Login WordPress plugin has a Local File Inclusion vulnerability that allows authenticated attackers with Contributor-level access or higher to include and execute arbitrary PHP files on the server. This can lead to remote code execution, data theft, and privilege escalation. All WordPress sites using Clean Login version 1.14.5 or earlier are affected.

📋 TL;DR

The Clean Login WordPress plugin has a Local File Inclusion vulnerability that allows authenticated attackers with Contributor-level access or higher to include and execute arbitrary PHP files on the server. This can lead to remote code execution, data theft, and privilege escalation. All WordPress sites using Clean Login version 1.14.5 or earlier are affected.

💻 Affected Systems

Products:

Clean Login WordPress Plugin

Versions: All versions up to and including 1.14.5

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with at least Contributor role. WordPress multisite installations are also vulnerable.

📦 What is this software?

Clean Login by Codection

View all CVEs affecting Clean Login →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise leading to data exfiltration, ransomware deployment, or complete site takeover via arbitrary PHP code execution.

🟠

Likely Case

Unauthorized access to sensitive files, privilege escalation to administrator, or backdoor installation for persistent access.

🟢

If Mitigated

Limited impact if proper file permissions restrict PHP execution in upload directories and strict access controls are enforced.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward via shortcode manipulation. Public exploit details are available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.14.6

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3143241%40clean-login&new=3143241%40clean-login&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Clean Login and click 'Update Now'. 4. Verify version is 1.14.6 or later.

🔧 Temporary Workarounds

Disable Clean Login Plugin

all

Temporarily disable the vulnerable plugin until patching is possible.

wp plugin deactivate clean-login

Restrict User Registration

all

Disable new user registration to prevent attacker account creation.

Settings → General → Membership: Uncheck 'Anyone can register'

🧯 If You Can't Patch

Remove Contributor and higher roles from untrusted users
Implement web application firewall rules to block file inclusion patterns

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Clean Login version. If version is 1.14.5 or earlier, you are vulnerable.

Check Version:

wp plugin get clean-login --field=version

Verify Fix Applied:

After updating, confirm Clean Login version is 1.14.6 or later in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

Unusual file inclusion attempts in web server logs
POST requests to clean-login endpoints with template parameter manipulation
PHP execution in unexpected directories

Network Indicators:

HTTP requests containing 'template=../../' patterns
Unexpected file downloads from server paths

SIEM Query:

web.url:*clean-login* AND web.param.template:*(../|php://)*

📊 Metadata

CVE ID: CVE-2024-8252

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-98

Published: August 30, 2024

Last Updated: September 3, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8252, you might also want to check these: