The Security & Malware scan by CleanTalk plugin for WordPress suffers from an unrestricted file upload vulnerability identified as CVE-2024-13365, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). The vulnerability exists in the plugin's checkUploadedArchive() function, which processes uploaded .zip archives during malware scanning. The function extracts the contents of these archives without adequate validation or sanitization of file types, allowing attackers to upload arbitrary files, including potentially executable scripts. Since the plugin accepts these uploads without requiring authentication, remote attackers can exploit this flaw to place malicious files on the web server. This can lead to remote code execution (RCE), enabling attackers to execute arbitrary commands, escalate privileges, or pivot within the network. The vulnerability affects all plugin versions up to 2.149, with no patch currently available. The CVSS 3.1 score of 9.8 reflects the critical nature of this flaw, highlighting its high impact on confidentiality, integrity, and availability, combined with low attack complexity and no prerequisites for exploitation. The vulnerability's presence in a widely used WordPress security plugin increases the risk profile for many websites relying on CleanTalk for malware scanning.

The impact of CVE-2024-13365 is severe for organizations running WordPress sites with the affected CleanTalk plugin. Successful exploitation can lead to remote code execution, allowing attackers to fully compromise the web server. This can result in data breaches, defacement, installation of backdoors or malware, and use of the compromised server as a pivot point for further attacks within an organization's network. The confidentiality, integrity, and availability of the affected systems are all at high risk. For e-commerce, financial, healthcare, and government websites, such a compromise could lead to significant operational disruption, financial loss, reputational damage, and regulatory penalties. Additionally, the ease of exploitation without authentication or user interaction increases the likelihood of automated attacks and widespread exploitation attempts once public proof-of-concept exploits emerge.

Organizations should immediately audit their WordPress installations to identify the presence of the Security & Malware scan by CleanTalk plugin and its version. Until an official patch is released, administrators should consider disabling or uninstalling the plugin to eliminate the attack vector. If disabling is not feasible, restrict file upload permissions at the web server level, such as limiting the types of files accepted and preventing execution of uploaded files in the plugin's upload directories. Implement web application firewall (WAF) rules to detect and block suspicious .zip archive uploads and extraction attempts. Monitor server logs for unusual file uploads or execution patterns indicative of exploitation attempts. Regularly update WordPress core and all plugins once patches become available. Additionally, enforce the principle of least privilege on the web server and isolate WordPress environments to limit the blast radius of any potential compromise.