30,000 WordPress Sites Exposed to Exploitation via File Upload Vulnerability

A critical security vulnerability in the “Security & Malware scan by CleanTalk” plugin has left over 30,000 WordPress websites exposed to exploitation.

The vulnerability, identified as CVE-2024-13365, allows unauthenticated attackers to conduct arbitrary file uploads, potentially leading to remote code execution (RCE).

The flaw, assigned a CVSS score of 9.8 (Critical), affects all plugin versions up to and including 2.149. Users are strongly urged to update to the patched version, 2.150, immediately.

Technical Overview

The vulnerability arises from the way the plugin handles ZIP file uploads, primarily through the vulnerable checkUploadedArchive() function of the UploadChecker class.

When the plugin scans an uploaded ZIP file for malware, it extracts the archive to a publicly accessible directory in the WordPress uploads folder without adequate authentication checks.

The flaw lies in the fact that the plugin’s file-checking mechanism (spbc_is_user_logged_in()) only verifies the presence of a “wordpress_logged_in” cookie.

This insufficient authentication check allows attackers to bypass restrictions and upload malicious files even when unauthenticated.

Once extracted, attackers can include a malicious PHP script in the ZIP file, which results in executing arbitrary commands on the server.

Moreover, the destination path for these extracted files is determined using the wp_get_upload_dir() function, making the malicious files publicly accessible.

This opens the door for attackers to deploy webshells or other backdoors, granting them full control over the compromised site.

Risk and Exploitation

The issue is particularly dangerous because it allows any attacker—without authentication or administrative access—to:

1. Upload large ZIP files containing thousands of dummy .txt files alongside a malicious .php file.
2. Exploit the server’s resources to extract and process these files, overwhelming the server.
3. Access the malicious .php file remotely, triggering RCE and gaining complete control over the site.

Such attacks could lead to full site compromise, data breaches, or even server-level exploitation, depending on the attacker’s objectives.

Security researcher Lucio Sá, who identified the flaw, has collaborated with CleanTalk to release a patched version (2.150) of the plugin.

WordPress administrators using this plugin must immediately upgrade to this version to mitigate the risk.

For enhanced protection, site owners leveraging WordPress firewalls, such as Wordfence, are advised to enable the “Disable Code Execution for Uploads directory” option.

This can block malicious file execution from the uploads folder, adding an extra layer of defense.

This incident highlights the critical importance of regular plugin updates and robust security practices on WordPress sites.

The 30,000 WordPress sites exposed to exploitation via file upload vulnerability underline the risks associated with unpatched plugins.

Site administrators should act swiftly by updating the plugin and double-checking all security settings to minimize their attack surface in the future.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free