Description
The Anti-Spam by CleanTalk. Spam protection WordPress plugin before 6.79 does not properly sanitize content within a custom shortcode used in its email-encoding feature, allowing unauthenticated attackers to inject arbitrary web scripts into approved comments that will execute when any user (including administrators) views the post.
Published: 2026-06-10
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Anti‑Spam by CleanTalk plugin before version 6.79. The plugin’s custom shortcode used for email‑encoding fails to sanitize its content, so an unauthenticated attacker can inject arbitrary JavaScript into approved comments. When any user, including administrators, views the post, the malicious script executes in the victim’s browser, enabling cookie theft, defacement, or further session hijacking. The weakness is a classic stored XSS flaw as defined by CWE‑79.

Affected Systems

WordPress sites running the Anti‑Spam by CleanTalk. Spam protection plugin, any version earlier than 6.79. The plugin’s vendor is not explicitly listed, but it is a public WordPress plugin widely used for comment moderation.

Risk and Exploitability

The vulnerability is exploitable by anyone who can post a comment that contains the malicious shortcode, which requires no authentication. The EPSS score is not available, and the issue is not listed in CISA KEV, so the exploitation probability is unknown but potentially high due to the simple unauthenticated nature of the attack. Administrators should act promptly because the script runs automatically when users visit the infected post, compromising confidentiality, integrity, and availability of the site.

Generated by OpenCVE AI on June 10, 2026 at 07:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Anti‑Spam by CleanTalk plugin to version 6.79 or later, which includes proper sanitization of shortcode content.
  • If an immediate update is not feasible, disable the email‑encoding shortcode on the site or remove it from comment content so that scripts cannot be embedded.
  • Enable a web application firewall or use a WordPress security plugin that blocks script tags in comments, preventing injection until the plugin is updated.

Generated by OpenCVE AI on June 10, 2026 at 07:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Wed, 10 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description The Anti-Spam by CleanTalk. Spam protection WordPress plugin before 6.79 does not properly sanitize content within a custom shortcode used in its email-encoding feature, allowing unauthenticated attackers to inject arbitrary web scripts into approved comments that will execute when any user (including administrators) views the post.
Title Spam protection, Honeypot, Anti-Spam by CleanTalk < 6.79 - Unauthenticated Stored XSS via Comment Shortcode Bypass
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-10T06:00:11.562Z

Reserved: 2026-05-07T09:10:25.699Z

Link: CVE-2026-8071

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T07:16:25.373

Modified: 2026-06-10T07:16:25.373

Link: CVE-2026-8071

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T07:30:25Z

Weaknesses