A critical WordPress Plugin Arbitrary File Upload Vulnerability has been discovered in the Security & Malware Scan by CleanTalk WordPress plugin, putting over 30,000 websites at risk. In 2024, over 4,400 vulnerabilities were reported in the WordPress ecosystem, with plugins accounting for approximately 97% of these security issues. The “Security & Malware Scan by CleanTalk” plugin, installed on more than 30,000 websites, has recently been identified as vulnerable to arbitrary file uploads, potentially allowing unauthenticated attackers to execute malicious code. This vulnerability allows attackers to upload malicious files without authentication, potentially leading to remote code execution and unauthorized access to affected WordPress sites.

Understanding the Security Flaw

The vulnerability originates from improper validation and security gaps in the plugin’s malware scanning feature. Specifically, the function checkUploadedArchive() fails to properly validate uploaded .zip files, allowing unauthorized file uploads that attackers can exploit. These files are then extracted into publicly accessible directories, enabling malicious script execution and potential server compromise. 

This vulnerability is particularly dangerous because it does not require authentication, meaning that any attacker with knowledge of the exploit can upload a harmful file. The impact can be severe, including:

• Website Defacement – Attackers can modify site content, inject harmful scripts, or completely take over the site’s appearance.
• Data Theft – Sensitive user and administrative data, including login credentials and financial information, could be accessed and exploited.
• Backdoor Access – Cybercriminals can install persistent access points, allowing them to return even after an initial cleanup.
• Malware Distribution – Affected websites can be turned into platforms for spreading malware, phishing pages, or ransomware.
• SEO Poisoning – Attackers may inject spam or malicious links into the website, damaging search rankings and credibility.

One of the biggest concerns is that site owners may not immediately notice the breach. Malicious actors often use stealth tactics to remain undetected for extended periods, allowing them to exploit compromised systems for long-term gains.

Recognizing the mechanics of this vulnerability is key to deploying effective security strategies. Without robust protective measures, websites remain vulnerable to attacks, data breaches, and operational disruptions.

How to Protect Your WordPress Site

If your website uses the Security & Malware Scan by CleanTalk plugin, immediate action is required to mitigate potential threats. Follow these steps to secure your site:

1. Update the Plugin Immediately – Check for the latest version of the plugin and apply any security patches released by CleanTalk. Running outdated software significantly increases security risks.
2. Scan Your Website for Malware – Use a reputable WordPress security plugin like Wordfence, Sucuri, or MalCare to identify and remove any suspicious files.
3. Check File Upload Permissions – Restrict file upload privileges to trusted users and configure server settings to prevent unauthorized scripts from running.
4. Monitor Your Site for Unusual Activity – Keep track of login attempts, file changes, and unauthorized modifications using an activity log plugin.
5. Perform a Full Site Backup – In case of an attack, having recent backups allows for quick restoration without losing critical data.

Best Practices to Prevent Future WordPress Vulnerabilities

Recent vulnerabilities, such as the WordPress Calendar Plugin flaw affecting over 150,000 sites, highlight the need for constant vigilance and proactive security measures. To reduce the risk of similar security breaches, website owners should implement the following long-term security measures:

• Regular Plugin and Core Updates – Always ensure that WordPress core, themes, and plugins are updated to their latest versions.
• Use a Web Application Firewall (WAF) – Services like Cloudflare, Sucuri, or Wordfence Premium can block malicious requests before they reach your website.
• Restrict User Roles and Permissions – Assign only necessary privileges to users, reducing potential entry points for hackers.
• Disable Unused Plugins – Deactivate and delete any plugins that are not actively in use to minimize exposure to vulnerabilities.
• Enable Two-Factor Authentication (2FA) – Adding an extra layer of authentication for administrator accounts can prevent unauthorized logins.

Patch and Mitigation Timeline

A similar critical flaw was recently discovered in the WP Automatic Plugin, requiring an urgent patch. Website administrators should regularly monitor plugin updates to prevent exploitation.

The vulnerability was responsibly disclosed on December 7, 2024, by security researcher Lucio Sá through the Wordfence Bug Bounty Program.

Following verification and communication with the CleanTalk team on January 13, 2025, a patch was released on January 27, 2025 (version 2.150).

Wordfence Premium users received a firewall rule to block exploitation attempts on January 14, 2025, while free users gained access to this protection on February 13, 2025.

Website administrators using the CleanTalk plugin are urged to update immediately to version 2.150 or later.

Failure to do so leaves sites vulnerable to attacks that could result in severe operational and reputational damage.

For additional security:

• Implement a web application firewall (WAF) like Wordfence.
• Regularly update all plugins and themes.
• Restrict file upload permissions and validate file types rigorously.
• Monitor server logs for suspicious activity.

This incident underscores the importance of proactive vulnerability management and timely updates to mitigate risks in the dynamic cybersecurity landscape.

Final Thoughts

The arbitrary file upload vulnerability in the Security & Malware Scan by CleanTalk plugin underscores the importance of proactive WordPress security. Website administrators should act swiftly by updating their plugins, scanning for potential threats, and reinforcing security measures to prevent malicious exploits.

By staying vigilant and implementing strong security protocols, WordPress site owners can protect their websites from cyber threats and maintain a secure digital presence.

The arbitrary file upload vulnerability in the Security & Malware Scan by CleanTalk plugin underscores the importance of proactive WordPress security. Website administrators should act swiftly by updating their plugins, scanning for potential threats, and reinforcing security measures to prevent malicious exploits.

By staying vigilant and implementing strong security protocols, WordPress site owners can protect their websites from cyber threats and maintain a secure digital presence.

References

• Quttera – 2024 WordPress Vulnerabilities Recap
• Wordfence – 30,000 WordPress Sites Affected