9.8

CVE-2024-13365

EPSS 3.74%
Veröffentlicht 12.02.2025 10:15:10
Zuletzt bearbeitet 25.02.2025 18:27:25
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Security & Malware scan by CleanTalk <= 2.149 - Unauthenticated Arbitrary File Upload

The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to arbitrary file uploads due to the plugin uploading and extracting .zip archives when scanning them for malware through the checkUploadedArchive() function  in all versions up to, and including, 2.149. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Mögliche Gegenmaßnahme

Login Security, FireWall, Malware removal by CleanTalk: Update to version 2.150, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Login Security, FireWall, Malware removal by CleanTalk

Version *-2.149

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cleantalk ≫ Security & Malware Scan SwPlatformwordpress Version < 2.150

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	3.74%	0.877

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

https://plugins.trac.wordpress.org/changeset/3229205/security-malware-firewall#file527

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/9fa30fa2-6c42-4e5f-a0b5-8711ce5d8121?source=cve

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/9fa30fa2-6c42-4e5f-a0b5-8711ce5d8121

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-13365

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-13365

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-13365

EUVD