CVE-2020-36698 in Security & Malware Scan Plugininfo

Summary

by MITRE • 10/25/2023

The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to unauthorized user interaction in versions up to, and including, 2.50. This is due to missing capability checks on several AJAX actions and nonce disclosure in the source page of the administrative dashboard. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to call functions and delete and/or upload files.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 04/10/2026

The vulnerability identified as CVE-2020-36698 affects the CleanTalk plugin for WordPress, specifically targeting the Security & Malware scan functionality. This issue represents a critical authorization bypass vulnerability that undermines the security model of WordPress installations. The flaw exists within the plugin's administrative dashboard implementation where proper access controls have been omitted, allowing attackers with minimal privileges to execute privileged operations. The vulnerability impacts versions up to and including 2.50, indicating a widespread exposure across numerous installations that have not been updated to address this security gap.

The technical root cause of this vulnerability stems from insufficient capability verification within the plugin's AJAX endpoint handlers. According to CWE-863, this represents a weakness in authorization where the system fails to properly validate that the requesting user has adequate permissions to perform specific operations. The plugin's AJAX actions lack proper capability checks, meaning that any authenticated user regardless of their role can invoke sensitive functions through the administrative interface. Additionally, the disclosure of nonces in the source code of the administrative dashboard creates a significant attack vector that enables malicious actors to forge requests and execute unauthorized operations. Nonce disclosure, classified under CWE-352, exposes the system to cross-site request forgery attacks where attackers can leverage these tokens to perform actions on behalf of authenticated users.

The operational impact of this vulnerability is severe for WordPress administrators who rely on the CleanTalk plugin for security monitoring. Attackers with subscriber-level permissions or higher can exploit this weakness to perform file operations including deletion and upload activities within the WordPress environment. This capability allows for arbitrary file manipulation that could lead to complete system compromise through malicious file uploads or data destruction. The vulnerability essentially provides a backdoor for attackers to escalate their privileges and gain unauthorized control over the WordPress installation. From an ATT&CK framework perspective, this vulnerability maps to T1078 Valid Accounts and T1566 Phishing, as it allows attackers to leverage legitimate administrative interfaces to perform malicious activities without requiring additional compromise.

Mitigation strategies for this vulnerability should focus on immediate plugin updates to versions that address the authorization bypass issues. Administrators must ensure that all WordPress installations are running the latest versions of the CleanTalk plugin where proper capability checks have been implemented. The plugin developers should implement robust access control mechanisms that verify user capabilities before executing sensitive operations and eliminate nonce disclosure in administrative interfaces. Additionally, network monitoring should be enhanced to detect unusual file upload patterns and unauthorized administrative activities. Security best practices recommend implementing role-based access controls and regularly auditing user permissions to prevent unauthorized access to administrative functions. Organizations should also consider implementing additional security layers such as web application firewalls and intrusion detection systems to monitor for exploitation attempts targeting this specific vulnerability pattern.

Responsible

Wordfence

Reservation

06/06/2023

Disclosure

10/25/2023

Moderation

accepted

CPE

ready

EPSS

0.00964

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!