Arbitrary File Upload Vulnerability in CleanTalk Security & Malware Plugin for WordPress

CVE-2024-13365

What is CVE-2024-13365?

CVE-2024-13365 is a significant security vulnerability in the CleanTalk Security & Malware plugin for WordPress, which is designed to protect WordPress sites from malware and security threats. This vulnerability allows unauthenticated attackers to perform arbitrary file uploads on affected servers. The flaw arises from the plugin's functionality that scans .zip archive files for malware through the checkUploadedArchive() function, which is susceptible to exploitation. If leveraged, this vulnerability could enable attackers to upload malicious files, potentially leading to remote code execution and compromising the integrity of the entire web server.

Technical Details

The vulnerability exists in all versions of the CleanTalk Security & Malware plugin up to and including version 2.149. The issue is rooted in how the plugin handles the uploading and extraction of .zip files during malware scans. By manipulating this process, an attacker can bypass restrictions and upload arbitrary files, which could include scripts or executables that could be run on the server. Such capabilities are concerning as they can grant the attacker full control over the affected environment, allowing malicious activities such as data theft, defacement, or the installation of additional malware.

Potential impact of CVE-2024-13365

1. Remote Code Execution: The primary threat of this vulnerability is its potential to allow attackers to execute arbitrary code on the server. This could lead to complete system compromise, enabling attackers to manipulate server operations, steal sensitive data, or deploy additional malicious content.

2. Data Breach: Unauthorized file uploads can lead to significant data breaches, whereby sensitive user information, credentials, and proprietary data may be accessed or exfiltrated by attackers, resulting in financial loss and reputational damage.

3. Web Server Integrity: A successful exploitation can compromise the integrity of the entire web server, which can be used to host further attacks, distribute malware to visitors, or leverage the server's resources for malicious activities such as DDoS (Distributed Denial-of-Service) attacks.

References