WordPress Security Plugin exposes critical flaw

A critical security vulnerability has been discovered in the "Security & Malware scan by CleanTalk" WordPress plugin, affecting more than 30,000 websites. 

The vulnerability is tracked as CVE-2024-13365 (CVSS score 9.8)  and enables unauthenticated attackers to perform arbitrary file uploads that could result in remote code execution (RCE).

The security flaw resides in the plugin's file upload handling mechanism, the checkUploadedArchive() function of the UploadChecker class. The core issue stems from insufficient authentication verification in the plugin's file-checking mechanism.

The exploitation process involves attackers uploading ZIP files containing malicious PHP scripts alongside dummy text files. Once these files are extracted to the publicly accessible directory determined by wp_get_upload_dir(), attackers can remotely access and execute the malicious PHP code and create webshells or backdoors, potentially gaining full control over the compromised site.

The flaw affects all versions of the plugin up to and including version 2.149. CleanTalk developed and released a patched version (2.150). 

WordPress administrators using the Wordfence firewall are advised to set the "Disable Code Execution for Uploads directory" option for additional protection.