CVE-2024-13365

Name of the Vulnerable Software and Affected Versions Security & Malware scan by CleanTalk plugin for WordPress versions up to, and including, 2.149

Description The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to arbitrary file uploads due to the plugin uploading and extracting .zip archives when scanning them for malware through the checkUploadedArchive() function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server, which may make remote code execution possible. Approximately 30,000 WordPress sites are potentially affected.

Recommendations For versions up to, and including, 2.149, consider disabling the checkUploadedArchive() function as a temporary workaround until a patch is available. Restrict access to the plugin's archive upload feature to minimize the risk of exploitation. Avoid using the plugin for malware scanning until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.