Skip to main content

Anti-Spam by CleanTalk CVE-2026-8071

| EUVD-2026-35986 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-10 WPScan GHSA-jqmp-cmj4-fv28
XSS WordPress
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 10, 2026 - 11:22 vuln.today
CVSS changed
Jun 10, 2026 - 11:22 NVD
8.8 (HIGH)
Patch available
Jun 10, 2026 - 08:01 EUVD
CVE Published
Jun 10, 2026 - 06:00 nvd
HIGH 8.8
CVE Published
Jun 10, 2026 - 06:00 nvd
UNKNOWN (no severity yet)

DescriptionNVD

The Anti-Spam by CleanTalk. Spam protection WordPress plugin before 6.79 does not properly sanitize content within a custom shortcode used in its email-encoding feature, allowing unauthenticated attackers to inject arbitrary web scripts into approved comments that will execute when any user (including administrators) views the post.

Articles & Coverage 1

News 5 New WordPress Vulnerabilities - 2 Critical, 3 With POC Jun 11, 2026

AnalysisAI

Stored cross-site scripting in the Anti-Spam by CleanTalk Spam Protection WordPress plugin before 6.79 allows unauthenticated remote attackers to inject arbitrary JavaScript into approved comments via a custom shortcode in the email-encoding feature, with execution occurring when any visitor or administrator views the affected post. Publicly available exploit code exists per WPScan, increasing exposure for the plugin's large WordPress installation base, though it requires user interaction (UI:R) to trigger the payload. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify WordPress site with vulnerable CleanTalk plugin
Delivery
Submit comment with malicious email-encoding shortcode
Exploit
Comment approved through moderation or auto-approval
Install
Administrator views affected post
C2
Shortcode renders unsanitized JavaScript
Execute
Payload executes in admin browser session
Impact
Session hijack or admin account creation
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the Anti-Spam by CleanTalk Spam Protection plugin to be installed and active at a version below 6.79 on a WordPress site that accepts comments, with the custom shortcode used by the email-encoding feature processed on rendered pages. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates a network-reachable, low-complexity, unauthenticated attack requiring user interaction, scoring 8.8. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker submits a comment containing the vulnerable CleanTalk email-encoding shortcode wrapped around malicious JavaScript; once the comment passes spam filtering and is approved (either automatically or by a moderator), the payload is stored in the database. When an administrator subsequently views the post containing the approved comment, the shortcode is expanded server-side and the attacker's JavaScript executes in the admin's authenticated browser session, allowing session theft, CSRF-based plugin installation, or creation of a new administrative user. …
Remediation Upgrade the Anti-Spam by CleanTalk Spam Protection plugin to version 6.79 or later, which is the vendor-released patch confirmed by the WPScan advisory (https://wpscan.com/vulnerability/0d4635b5-2d79-4337-a1ad-6b8d02cfd64b/) and the EUVD record. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Inventory all WordPress installations and identify those running Anti-Spam by CleanTalk prior to version 6.79; escalate to emergency security protocol. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-8935 CRITICAL POC
9.8 Jun 15

The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that i
CVE-2026-10795 HIGH POC
8.1 Jun 11

Remote code execution in UpdraftPlus: WP Backup & Migration Plugin for WordPress (versions ≤1.26.4) allows unauthenticat
CVE-2026-8089 HIGH POC
7.1 Jun 17

The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin

CVE-2026-9570 HIGH POC
7.1 Jun 17

The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline

CVE-2026-52704 CRITICAL
10.0 Jun 15

Remote code execution in Edgar Rojas WooCommerce PDF Invoice Builder WordPress plugin (versions through 2.0.8) allows un

Share

CVE-2026-8071 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy