Security & Malware scan by CleanTalk < 2.150 – Unauthenticated Arbitrary File Upload | CVE 2024-13365 | Plugin Vulnerabilities

Description

The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to arbitrary file uploads due to the plugin uploading and extracting .zip archives when scanning them for malware through the checkUploadedArchive() function in all versions up to, and including, 2.149. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

security-malware-firewall

Fixed in 2.150

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/9fa30fa2-6c42-4e5f-a0b5-8711ce5d8121

Miscellaneous

Original Researcher

Lucio Sá

Verified

No

WPVDB ID

7f9b60da-a5d5-4cc4-a8d6-d3232473b9dc

Timeline

Publicly Published

2025-02-11 (about 1 year ago)

Added

2025-02-11 (about 1 year ago)

Last Updated

2025-02-12 (about 1 year ago)

Other

Published

Title

Published

2025-12-11

Title

Infility Global < 2.14.43 - Authenticated (Subscriber+) Arbitrary File Upload

Published

2024-10-17

Title

WP Dropbox Dropins <= 1.0 - Unauthenticated Arbitrary File Upload

Published

2022-08-11

Title

Uploading SVG, WEBP and ICO files <= 1.2.1 - Admin+ Arbitrary File Upload

Published

2025-07-03

Title

VikRentCar Car Rental Management System < 1.4.4 - Authenticated (Administrator+) Arbitrary File Upload

Published

2025-08-04

Title

WP Import Export Lite < 3.9.29 - Authenticated (Subscriber+) Arbitrary File Upload