An advisory was issued for a important vulnerability rated 9.8/10 within the CleanTalk Antispam WordPress plugin, put in in over 200,000 web sites. The vulnerability permits unauthenticated attackers to put in susceptible plugins that may then be used to launch distant code execution assaults.
CleanTalk Antispam Plugin
The CleanTalk Antispam plugin is a subscription primarily based software program as a service that protects web sites from inauthentic person actions like spam subscriptions, registrations, kind emails, plus a firewall for blocking dangerous bots.
As a result of it’s a subscription primarily based plugin it depends on a legitimate API in to achieve out to the CleanTalk servers and that is the a part of the plugin is the place the flaw that enabled the vulnerability was found.
CleanTalk Plugin Vulnerability CVE-2026-1490
The plugin accommodates a WordPress perform that checks if a legitimate API secret is getting used to contact the CleanTalk servers. A WordPress perform is PHP code that performs a particular process.
On this particular case, if the plugin can’t validate a connection to CleanTalk’s servers due to an invalid API key, it depends on the checkWithoutToken perform to confirm “trusted” requests.
The issue is that the checkWithoutToken perform doesn’t correctly confirm the id of the requester. An attacker is ready to misrepresent their id as coming from the cleantalk.org area after which launch their assaults. Thus, this vulnerability solely impacts plugins that don’t have a legitimate API key.
The Wordfence advisory describes the vulnerability:
“The Spam safety, Anti-Spam, FireWall by CleanTalk plugin for WordPress is susceptible to unauthorized Arbitrary Plugin Set up attributable to an authorization bypass through reverse DNS (PTR report) spoofing on the ‘checkWithoutToken’ perform…”
Beneficial Motion
The vulnerability impacts CleanTalk plugin variations as much as an together with 6.71. Wordfence recommends customers replace their installations to the most recent model on the time of writing, model 6.72.
