Cyber Resilience

CVE-2024-13365

Critical

Published: 12 February 2025

Published
12 February 2025
Modified
25 February 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0274 86.3th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13365 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Cleantalk Security \& Malware Scan. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-13365 is an arbitrary file upload vulnerability in the Security & Malware scan by CleanTalk plugin for WordPress. The issue stems from the checkUploadedArchive() function, which uploads and extracts .zip archives during malware scanning without sufficient validation. This affects all versions of the plugin up to and including 2.149.

Unauthenticated attackers can exploit the vulnerability remotely with low complexity and no user interaction or privileges required. By submitting malicious .zip archives, they can upload arbitrary files to the affected WordPress site's server, potentially enabling remote code execution. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).

Mitigation details are provided in advisories from Wordfence and a patch in WordPress plugins trac changeset 3229205 for the security-malware-firewall plugin. Security practitioners should update to a patched version beyond 2.149 to address the issue.

EU & UK References

Vulnerability details

The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to arbitrary file uploads due to the plugin uploading and extracting .zip archives when scanning them for malware through the checkUploadedArchive() function in all versions up to, and…

more

including, 2.149. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary file upload in public-facing WordPress plugin enables remote exploitation (T1190) and direct deployment of web shells for RCE (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-46384Shared CWE-434
CVE-2025-13516Shared CWE-434
CVE-2024-13011Shared CWE-434
CVE-2025-8323Shared CWE-434
CVE-2025-21624Shared CWE-434
CVE-2026-35164Shared CWE-434
CVE-2026-2097Shared CWE-434
CVE-2025-12154Shared CWE-434
CVE-2026-42748Shared CWE-434
CVE-2025-32957Shared CWE-434

Affected Assets

cleantalk
security \& malware scan
≤ 2.150

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of uploaded .zip archives in checkUploadedArchive() to prevent arbitrary file uploads and extraction of malicious content.

prevent

Ensures timely patching of the plugin vulnerability up to version 2.149, directly addressing the arbitrary file upload flaw as recommended in advisories.

prevent

Restricts upload of dangerous file types like unvalidated .zip archives to the WordPress site, blocking unauthenticated exploitation.

References