Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
CleanTalk WordPress Plugin Allows Unauthorized Plugin Installation
CVE-2026-1490
Summary
The CleanTalk plugin for WordPress has a security flaw that could let attackers install and activate any plugin without permission. This is a risk because it could allow them to install malicious plugins that can harm your site. If you're using an invalid API key, update the plugin to the latest version to fix this issue.
Original title
The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS (PTR record) sp...
Original description
The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS (PTR record) spoofing on the 'checkWithoutToken' function in all versions up to, and including, 6.71. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. Note: This is only exploitable on sites with an invalid API key.
nvd CVSS3.1
9.8
Vulnerability type
CWE-350
- https://plugins.trac.wordpress.org/browser/cleantalk-spam-protect/trunk/lib/Clea...
- https://plugins.trac.wordpress.org/browser/cleantalk-spam-protect/trunk/lib/Clea...
- https://plugins.trac.wordpress.org/changeset/3454488/cleantalk-spam-protect#file...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/cb603be6-4a12-49e1-b8c...
Published: 15 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026