AI description
CVE-2024-13365 is an arbitrary file upload vulnerability found in the WordPress plugin "Security & Malware scan by CleanTalk," affecting versions 2.149 and earlier. This flaw allows unauthenticated users to upload files of their choosing to vulnerable WordPress sites. The vulnerability exists due to insufficient validation of user-supplied data when the plugin scans ZIP archives. Exploiting this flaw could allow attackers to upload malicious files, potentially leading to remote code execution on the affected server. The issue was discovered by Wordfence through their bug bounty program and responsibly disclosed to CleanTalk. CleanTalk has since released version 2.150 of the plugin to address this vulnerability.
- Description
- The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to arbitrary file uploads due to the plugin uploading and extracting .zip archives when scanning them for malware through the checkUploadedArchive() function in all versions up to, and including, 2.149. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
- Source
- security@wordfence.com
- NVD status
- Analyzed
CVSS 3.1
- Type
- Secondary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- security@wordfence.com
- CWE-434
- Hype score
- Not currently trending
3万サイト以上が使用するWordPressのプラグインCleanTalkに重大(Critical)な脆弱性。CVE-2024-13365はCVSSスコア9.8で、未認証の攻撃者が任意のファイルをアップロードできるもの。アップロードチェッカーにおけるZIPファイル検証の不備。バージョン2.1.50で修正済み。 https://t.co/nOEar0RlBW
@__kokumoto
15 Feb 2025
1891 Impressions
12 Retweets
41 Likes
5 Bookmarks
0 Replies
1 Quote
Hackers Can Take Over 30,000 WordPress Sites Due to Critical CleanTalk Security Flaw (CVE-2024-13365)
@JdjdFjjf1829205
14 Feb 2025
25 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
برای یکی از پلاگین های Wordpress با نام Security & Malware scan by CleanTalk آسیب پذیری با کد شناسایی CVE-2024-13365 که از نوع file upload می باشد منتشر شده است. این آسیب پذیری می تواند تبدیل به RCE نیز شود. در حال حاضر ۳۰ هزار وب سایت وردپرس در خطر هستند. https://t.co/Poz3aK
@AmirHossein_sec
14 Feb 2025
32 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Hackers Can Take Over 30,000 WordPress Sites Due to Critical CleanTalk Security Flaw (CVE-2024-13365) https://t.co/RkuohOwdIn
@Dinosn
14 Feb 2025
1562 Impressions
4 Retweets
2 Likes
3 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cleantalk:security_\\&_malware_scan:*:*:*:*:*:wordpress:*:*",
"vulnerable": true,
"matchCriteriaId": "2FF0D925-2651-4B4C-8462-654680B73B3D",
"versionEndExcluding": "2.150"
}
],
"operator": "OR"
}
]
}
]