CVE-2026-1490
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Description
The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS (PTR record) spoofing on the 'checkWithoutToken' function in all versions up to, and including, 6.71. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. Note: This is only exploitable on sites with an invalid API key.
Analysis
CleanTalk Anti-Spam WordPress plugin has an authorization bypass enabling unauthenticated attackers to perform file operations on the WordPress server.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Disable the CleanTalk plugin immediately and audit installed plugins for unauthorized additions; verify DNS security and implement reverse DNS validation. Within 7 days: Switch to an alternative anti-spam solution (e.g., Akismet, native WordPress protections) and conduct forensic review of access logs and plugin installation history. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today