Description
The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS (PTR record) spoofing on the 'checkWithoutToken' function in all versions up to, and including, 6.71. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. Note: This is only exploitable on sites with an invalid API key.
Published: 2026-02-15
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass leading to Arbitrary Plugin Installation and potential Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The CleanTalk Spam protection plugin for WordPress is vulnerable because the checkWithoutToken function does not verify the authenticity of the API key when the site's reverse DNS PTR record is spoofed. This bypass allows any unauthenticated user to request the installation of arbitrary plugins. Installing a malicious plugin can give the attacker remote execution capabilities, especially if another plugin or core component is also vulnerable. The flaw arises from improper token validation (CWE‑350), and it only applies to sites that have an invalid or missing API key.

Affected Systems

Vendor Cleantalk, product Spam protection, Honeypot, Anti‑Spam, all plugin versions up to 6.71 on WordPress sites. The flaw is present in every version through 6.71 and does not affect later releases.

Risk and Exploitability

The CVSS vector is 9.8, indicating a critical severity. The EPSS score of less than 1% suggests that exploitation attempts are expected to be rare, and it is not listed in the CISA KEV catalog. Nevertheless, the vulnerability is fully exploitable over the internet by spoofing the reverse DNS record of the target and triggering the plugin to install arbitrary code. The impact is confined to sites with an invalid API key, making educated attackers more likely to target such sites.

Generated by OpenCVE AI on April 15, 2026 at 17:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the CleanTalk plugin to version 6.72 or newer, which removes the bypass.
  • Verify that the site’s CleanTalk API key is valid and active; sites with an invalid or missing key are no longer vulnerable.
  • Restrict plugin installation to administrators only, and review other installed plugins for known vulnerabilities.

Generated by OpenCVE AI on April 15, 2026 at 17:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Cleantalk
Cleantalk spam Protection, Honeypot, Anti-spam By Cleantalk
Wordpress
Wordpress wordpress
Vendors & Products Cleantalk
Cleantalk spam Protection, Honeypot, Anti-spam By Cleantalk
Wordpress
Wordpress wordpress

Sun, 15 Feb 2026 03:30:00 +0000

Type Values Removed Values Added
Description The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS (PTR record) spoofing on the 'checkWithoutToken' function in all versions up to, and including, 6.71. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. Note: This is only exploitable on sites with an invalid API key.
Title Spam protection, Honeypot, Anti-Spam by CleanTalk <= 6.71 - Authorization Bypass via Reverse DNS (PTR record) Spoofing to Unauthenticated Arbitrary Plugin Installation
Weaknesses CWE-350
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Cleantalk Spam Protection, Honeypot, Anti-spam By Cleantalk
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:23:28.127Z

Reserved: 2026-01-27T14:18:46.456Z

Link: CVE-2026-1490

cve-icon Vulnrichment

Updated: 2026-02-17T21:21:44.719Z

cve-icon NVD

Status : Deferred

Published: 2026-02-15T04:15:53.783

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1490

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:30:10Z

Weaknesses