30,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in Security & Malware scan by CleanTalk WordPress Plugin

On December 7th, 2024, we received a submission for an Arbitrary File Upload vulnerability in Security & Malware scan by CleanTalk, a WordPress plugin with more than 30,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to upload arbitrary files to a vulnerable site and achieve remote code execution.

Props to Lucio Sá who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $1,716.00 for this discovery. Our mission is to Secure the Web, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure, which ultimately makes the entire web more secure.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on January 14, 2025. Sites using the free version of Wordfence will receive the same protection 30 days later on February 13, 2025.

We contacted the CleanTalk team on January 13, 2025, and received a response on the next day. After providing full disclosure details, the developer released a patch on January 27, 2025. We would like to commend the CleanTalk team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of Security & Malware scan by CleanTalk, version 2.150 at the time of this writing, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to arbitrary file uploads due to the plugin uploading and extracting .zip archives when scanning them for malware through the checkUploadedArchive() function in all versions up to, and including, 2.149. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible.

Technical Analysis

The plugin is a security WordPress plugin developed by CleanTalk, which includes a web application firewall, malware scanner, brute force protection, two-factor authentication, and many other features.

Examining the code reveals that the plugin uses the runCheckForFilesGlobalVariable() function in the UploadChecker class in the firewall module to check all uploaded files.

/**
 * Implement parent firewall module call
 * @return bool[]|Result[]
 */
public function check()
{
    $result_passed = new Result(
        array(
            'module' => $this->module_name,
            'ip'     => end($this->ip_array),
            'status' => 'PASS',
        )
    );
    $result = $this->runCheckForFilesGlobalVariable($_FILES);

This function checks all uploaded zip files with the checkUploadedArchive() function, which uses the checkFileContent() function to check the contents of the archived file.

private function checkUploadedArchive($archive_path)
{
    global $wp_filesystem;

    if ( !empty($archive_path) && is_string($archive_path)) {
        if (!function_exists('unzip_file')) {
            require_once ABSPATH . 'wp-admin/includes/file.php';
        }

        if ( ! $wp_filesystem ) {
            WP_Filesystem();
        }

        $destination = wp_get_upload_dir()['path'] . DIRECTORY_SEPARATOR . 'spbct_' . time();
        if (!is_dir($destination)) {
            mkdir($destination);
        }

        $unzipped = unzip_file($archive_path, $destination);
        if (is_wp_error($unzipped)) {
            return false;
        }

        $unzipped_files = new RecursiveIteratorIterator(
            new RecursiveDirectoryIterator($destination, FilesystemIterator::SKIP_DOTS),
            RecursiveIteratorIterator::CHILD_FIRST,
            RecursiveIteratorIterator::CATCH_GET_CHILD
        );

        $result = false;

        foreach ($unzipped_files as $path => $dir) {
            if ($dir->isDir()) {
                $unzipped_files->next();
            } else {
                $result = $this->checkFileContent($path);
            }

The upload checker is intended to run on every admin page where the user is logged in, which the plugin checks with the spbc_is_user_logged_in() function.

if ( is_admin() && spbc_is_user_logged_in() ) {
    //do this if in admin area and user is logged in - check only admin area (WAF run)
    spbc_firewall_check_admin_area();
    if ( ! empty($_FILES) ) {
        spbc_upload_checker__check();
    }

However, the spbc_is_user_logged_in() function only checks for the existence of the “wordpress_logged_in” cookie, which allows an attacker to run the vulnerable upload checker even unauthenticated if any “wordpress_logged_in” cookie value is set.

function spbc_is_user_logged_in()
{
    return (bool) preg_grep("/wordpress_logged_in/", array_keys($_COOKIE));
}

Unfortunately, the zip file is extracted into the publicly available WordPress uploads folder because the wp_get_upload_dir() function is used to determine the destination path. This makes it possible for unauthenticated attackers to upload a large zip file containing thousands of .txt files and a .php file, which is extracted to the uploads folder. While the plugin checks the thousands of .txt files, which is time-consuming for the server, the attacker can access the malicious .php file to trigger remote code execution on the server. This is exploitable even in instances where unauthenticated users have no capability to upload zip files, posing a significant risk to all sites running the plugin.

As with all arbitrary file upload vulnerabilities, this can lead to complete site compromise through the use of webshells and other techniques.

Wordfence Firewall

The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.

The firewall also blocks access to the temp file:

Please note this protection only works if the “Disable Code Execution for Uploads directory” option is enabled in the Wordfence Global Options page. We strongly recommend all Wordfence users enable this option.

Disclosure Timeline

December 7, 2024 – We received the submission for the Arbitrary File Upload vulnerability in Security & Malware scan by CleanTalk via the Wordfence Bug Bounty Program.
January 13, 2025 – We validated the report and confirmed the proof-of-concept exploit.
January 13, 2025 – We initiated contact via the vendor contact form, asking that they confirm the inbox for handling the discussion.
January 14, 2025 – Wordfence Premium, Care, and Response users received a firewall rule to provide protection against any exploits that may target this vulnerability.
January 14, 2025 – The vendor confirmed the inbox for handling the discussion.
January 14, 2025 – We sent over the full disclosure details to the vendor. The vendor acknowledged the report and began working on a fix.
January 16, 2025 – The vendor committed the patch to the plugin’s GitHub repository.
January 27, 2025 – The fully patched version of the plugin, 2.150, was released.
February 13, 2025 – Wordfence Free users will receive the same protection.

Conclusion

In this blog post, we detailed an Arbitrary File Upload vulnerability within the Security & Malware scan by CleanTalk plugin affecting versions 2.149 and earlier. This vulnerability allows unauthenticated threat actors to execute malicious code on the server. The vulnerability has been addressed in version 2.150 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of Security & Malware scan by CleanTalk as soon as possible considering the critical nature of this vulnerability.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on January 14, 2025. Sites using the free version of Wordfence will receive the same protection 30 days later on February 13, 2025.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

The post 30,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in Security & Malware scan by CleanTalk WordPress Plugin appeared first on Wordfence.