WordPress Plugin Vulnerability Puts 200,000 Websites at Risk
A significant vulnerability in the CleanTalk Anti-Spam plugin for WordPress has been discovered, potentially exposing around 200,000 websites. This flaw, registered as CVE-2026-1490, has received a high severity rating of 9.8 out of 10, indicating its seriousness. The exploit could allow unauthorized attackers to install malicious plugins, leading to remote code execution under certain circumstances.
Background on the Vulnerability
This vulnerability was uncovered by security researcher Nguyen Ngoc Duc (duc193) from KCSC. The findings were shared through Wordfence Intelligence, a key player in the monitoring of vulnerabilities within the WordPress ecosystem. With its widespread use, the risk associated with this flaw is particularly concerning for website operators.
Technical Details of CVE-2026-1490
The flaw affects all versions of the CleanTalk plugin up to and including 6.71. The specific nature of CVE-2026-1490 is described as an “Authorization Bypass via Reverse DNS (PTR record) Spoofing,” which enables unauthenticated users to install arbitrary plugins.
At its core, the vulnerability arises from a flawed reliance on reverse DNS resolution during security-sensitive actions. The checkWithoutToken function fails to properly verify requests lacking a valid API key, allowing attackers to spoof reverse DNS records and impersonate legitimate sources.
How the Vulnerability Works
CleanTalk operates as a subscription-based service aimed at blocking spam and malicious activities on WordPress sites. For proper operation, it requires a valid API key. When an invalid key is used, however, it falls back on a secondary function for validating requests. Unfortunately, this function does not effectively secure the authenticity of the requestor.
Attackers can exploit this weakness by manipulating reverse DNS records to make their requests appear as if they originate from the CleanTalk domain. This circumvents the necessary authorization checks, allowing for the unauthorized installation of plugins. Although CVE-2026-1490 does not directly allow for remote code execution, it opens the door for attackers to install other malicious plugins that could enable such functions.
Key Vulnerability Parameters
The CVSS vector for this vulnerability is classified as:
- Attack vector: Network-based (AV:N)
- Attack complexity: Low (AC:L)
- Privileges required: None (PR:N)
- User interaction: None (UI:N)
- Scope: Unchanged (S:U)
- Impact: High for confidentiality, integrity, and availability (C:H/I:H/A:H)
This classification underscores the critical nature of the CleanTalk plugin vulnerability, which could lead to severe breaches if left unaddressed.
Affected Versions and Scope
The scope of this vulnerability encompasses all versions of the CleanTalk plugin up to version 6.71, which is referenced under the software slug “cleantalk-spam-protect” on WordPress.org. As previously mentioned, more than 200,000 websites currently rely on this plugin, magnifying the potential attack surface.
Importantly, websites using a valid API key are not vulnerable to this particular issue. The risk is confined to those instances where an invalid key is configured, allowing the bypass of necessary authorization protocols.
Take Action
Website administrators should take this vulnerability seriously. It’s essential to ensure that all plugins are updated to their latest versions and that API keys are configured correctly. By maintaining diligent security measures, site owners can help protect against potential attacks stemming from vulnerabilities like CVE-2026-1490.
As with all significant vulnerabilities, staying informed and proactive is key to safeguarding your online presence.
