CVE-2024-13365
Published: 12 February 2025
Summary
CVE-2024-13365 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Cleantalk Security \& Malware Scan. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-13365 is an arbitrary file upload vulnerability in the Security & Malware scan by CleanTalk plugin for WordPress. The issue stems from the checkUploadedArchive() function, which uploads and extracts .zip archives during malware scanning without sufficient validation. This affects all versions of the plugin up to and including 2.149.
Unauthenticated attackers can exploit the vulnerability remotely with low complexity and no user interaction or privileges required. By submitting malicious .zip archives, they can upload arbitrary files to the affected WordPress site's server, potentially enabling remote code execution. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).
Mitigation details are provided in advisories from Wordfence and a patch in WordPress plugins trac changeset 3229205 for the security-malware-firewall plugin. Security practitioners should update to a patched version beyond 2.149 to address the issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51556
Vulnerability details
The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to arbitrary file uploads due to the plugin uploading and extracting .zip archives when scanning them for malware through the checkUploadedArchive() function in all versions up to, and…
more
including, 2.149. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload in public-facing WordPress plugin enables remote exploitation (T1190) and direct deployment of web shells for RCE (T1505.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of uploaded .zip archives in checkUploadedArchive() to prevent arbitrary file uploads and extraction of malicious content.
Ensures timely patching of the plugin vulnerability up to version 2.149, directly addressing the arbitrary file upload flaw as recommended in advisories.
Restricts upload of dangerous file types like unvalidated .zip archives to the WordPress site, blocking unauthenticated exploitation.