Monday, May 5, 2025
HomeCVE/vulnerability30,000 WordPress Sites Exposed to Exploitation via File Upload Vulnerability

30,000 WordPress Sites Exposed to Exploitation via File Upload Vulnerability

Published on

SIEM as a Service

Follow Us on Google News

A critical security vulnerability in the “Security & Malware scan by CleanTalk” plugin has left over 30,000 WordPress websites exposed to exploitation.

The vulnerability, identified as CVE-2024-13365, allows unauthenticated attackers to conduct arbitrary file uploads, potentially leading to remote code execution (RCE).

The flaw, assigned a CVSS score of 9.8 (Critical), affects all plugin versions up to and including 2.149. Users are strongly urged to update to the patched version, 2.150, immediately.

- Advertisement - Google News

Technical Overview

The vulnerability arises from the way the plugin handles ZIP file uploads, primarily through the vulnerable checkUploadedArchive() function of the UploadChecker class.

When the plugin scans an uploaded ZIP file for malware, it extracts the archive to a publicly accessible directory in the WordPress uploads folder without adequate authentication checks.

The flaw lies in the fact that the plugin’s file-checking mechanism (spbc_is_user_logged_in()) only verifies the presence of a “wordpress_logged_in” cookie.

This insufficient authentication check allows attackers to bypass restrictions and upload malicious files even when unauthenticated.

Once extracted, attackers can include a malicious PHP script in the ZIP file, which results in executing arbitrary commands on the server.

Moreover, the destination path for these extracted files is determined using the wp_get_upload_dir() function, making the malicious files publicly accessible.

This opens the door for attackers to deploy webshells or other backdoors, granting them full control over the compromised site.

Risk and Exploitation

The issue is particularly dangerous because it allows any attacker—without authentication or administrative access—to:

  1. Upload large ZIP files containing thousands of dummy .txt files alongside a malicious .php file.
  2. Exploit the server’s resources to extract and process these files, overwhelming the server.
  3. Access the malicious .php file remotely, triggering RCE and gaining complete control over the site.

Such attacks could lead to full site compromise, data breaches, or even server-level exploitation, depending on the attacker’s objectives.

Security researcher Lucio Sá, who identified the flaw, has collaborated with CleanTalk to release a patched version (2.150) of the plugin.

WordPress administrators using this plugin must immediately upgrade to this version to mitigate the risk.

For enhanced protection, site owners leveraging WordPress firewalls, such as Wordfence, are advised to enable the “Disable Code Execution for Uploads directory” option.

This can block malicious file execution from the uploads folder, adding an extra layer of defense.

This incident highlights the critical importance of regular plugin updates and robust security practices on WordPress sites.

The 30,000 WordPress sites exposed to exploitation via file upload vulnerability underline the risks associated with unpatched plugins.

Site administrators should act swiftly by updating the plugin and double-checking all security settings to minimize their attack surface in the future.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...

RomCom RAT Targets UK Organizations Through Compromised Customer Feedback Portals

The Russian-based threat group RomCom, also known as Storm-0978, Tropical Scorpius, and Void Rabisu,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...