CVE-2026-8071 - Vulnerability Details

- Spam protection, Honeypot, Anti-Spam by CleanTalk < 6.79 - Unauthenticated Stored XSS via Comment Shortcode Bypass

Description

The Anti-Spam by CleanTalk. Spam protection WordPress plugin before 6.79 does not properly sanitize content within a custom shortcode used in its email-encoding feature, allowing unauthenticated attackers to inject arbitrary web scripts into approved comments that will execute when any user (including administrators) views the post.

Published: 2026-06-10

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the CleanTalk Anti‑Spam plugin before version 6.79. The plugin’s custom shortcode used for email‑encoding does not properly sanitize its content, allowing an unauthenticated attacker to embed arbitrary JavaScript into approved comments. When any user, including administrators, views the affected post, the malicious script executes in the victim’s browser, enabling cookie theft, session hijacking, defacement, or other attacks. This is a classic stored cross‑site scripting flaw as defined by CWE‑79.

Affected Systems

Any WordPress site that has installed the CleanTalk Anti‑Spam by CleanTalk plugin in a version earlier than 6.79. The plugin is distributed through the WordPress plugin repository and its vendor is not explicitly listed in the CVE data.

Risk and Exploitability

The attack is performed by submitting a normal comment containing the malicious shortcode, which requires no authentication. The EPSS score is not available and the issue is not in the CISA KEV catalog, yet the simplicity of the attack vector suggests a potentially high exploitation probability. Once a visitor loads the infected post, the injected script runs in their browser, compromising the confidentiality and integrity of user sessions and providing a vector for further compromise of the site.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Unknown

Anti-Spam by CleanTalk. Spam protection

unaffected

Version	Status	Constraints
`0`	affected	< 6.79

No data.

Vendor Product Confidence Versions

Cleantalk

Spam Protection

100%

Version	Status	Scheme	Platform
`[0,6.79)`	affected	generic	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the CleanTalk Anti‑Spam plugin to version 6.79 or later, which includes proper sanitization of the email‑encoding shortcode.
If an immediate update is not feasible, disable the email‑encoding shortcode feature or remove it from comment content so that malicious scripts cannot be embedded.
Deploy a web application firewall or a WordPress security plugin that blocks script tags and enforces strict input validation on comments until the plugin is updated.

Generated by OpenCVE AI on June 10, 2026 at 12:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00296.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://wpscan.com/vulnerability/0d4635b5-2d79-4337-a1ad-6b8d02cfd64b/

History

Wed, 10 Jun 2026 11:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cleantalk Cleantalk spam Protection Wordpress Wordpress wordpress
Vendors & Products		Cleantalk Cleantalk spam Protection Wordpress Wordpress wordpress
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 10 Jun 2026 07:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-79

Wed, 10 Jun 2026 06:45:00 +0000

Type	Values Removed	Values Added
Description		The Anti-Spam by CleanTalk. Spam protection WordPress plugin before 6.79 does not properly sanitize content within a custom shortcode used in its email-encoding feature, allowing unauthenticated attackers to inject arbitrary web scripts into approved comments that will execute when any user (including administrators) views the post.
Title		Spam protection, Honeypot, Anti-Spam by CleanTalk < 6.79 - Unauthenticated Stored XSS via Comment Shortcode Bypass
References		https://wpscan.com/vulnerability/0d4635b5-2d79-4337-a1ad-6b8d02cfd64b/

Subscriptions

Cleantalk Spam Protection

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2026-06-10T06:00:11.562Z

Updated: 2026-06-10T10:41:34.962Z

Reserved: 2026-05-07T09:10:25.699Z

Link: CVE-2026-8071

Vulnrichment

Updated: 2026-06-10T10:41:13.227Z

NVD

Status : Deferred

Published: 2026-06-10T07:16:25.373

Modified: 2026-06-10T19:41:25.327

Link: CVE-2026-8071

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-10T13:00:13Z

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object