An advisory was issued for a crucial vulnerability rated 9.8/10 within the CleanTalk Antispam WordPress plugin, put in in over 200,000 web sites. The vulnerability allows unauthenticated attackers to put in susceptible plugins that may then be used to launch distant code execution assaults.
CleanTalk Antispam Plugin
The CleanTalk Antispam plugin is a subscription based mostly software program as a service that protects web sites from inauthentic consumer actions like spam subscriptions, registrations, kind emails, plus a firewall for blocking unhealthy bots.
As a result of it’s a subscription based mostly plugin it depends on a sound API in to achieve out to the CleanTalk servers and that is the a part of the plugin is the place the flaw that enabled the vulnerability was found.
CleanTalk Plugin Vulnerability CVE-2026-1490
The plugin incorporates a WordPress operate that checks if a sound API secret’s getting used to contact the CleanTalk servers. A WordPress operate is PHP code that performs a selected activity.
On this particular case, if the plugin can’t validate a connection to CleanTalk’s servers due to an invalid API key, it depends on the checkWithoutToken operate to confirm “trusted” requests.
The issue is that the checkWithoutToken operate doesn’t correctly confirm the id of the requester. An attacker is ready to misrepresent their id as coming from the cleantalk.org area after which launch their assaults. Thus, this vulnerability solely impacts plugins that don’t have a sound API key.
The Wordfence advisory describes the vulnerability:
“The Spam safety, Anti-Spam, FireWall by CleanTalk plugin for WordPress is susceptible to unauthorized Arbitrary Plugin Set up resulting from an authorization bypass by way of reverse DNS (PTR file) spoofing on the ‘checkWithoutToken’ operate…”
Beneficial Motion
The vulnerability impacts CleanTalk plugin variations as much as an together with 6.71. Wordfence recommends customers replace their installations to the newest model on the time of writing, model 6.72.