Critical WordPress Plugin Vulnerability Exposes 200,000 Sites to Remote Attacks
A severe security flaw in the CleanTalk Anti-Spam WordPress plugin (CVE-2026-1490) has left up to 200,000 websites vulnerable to unauthenticated arbitrary plugin installation, potentially leading to remote code execution (RCE). The vulnerability, rated 9.8 (Critical) on the CVSS scale, was disclosed by security researcher Nguyen Ngoc Duc (duc193) of KCSC and published via Wordfence Intelligence.
The flaw affects all versions of the plugin up to and including 6.71 and stems from an authorization bypass via reverse DNS (PTR) spoofing. The plugin’s checkWithoutToken function fails to properly verify request authenticity when an invalid API key is present, allowing attackers to spoof PTR records and impersonate trusted sources specifically the cleantalk.org domain. This enables unauthenticated attackers to install malicious plugins, which could then be leveraged for further exploitation, including RCE.
While CVE-2026-1490 does not directly grant RCE, it creates a pathway for attackers to deploy additional plugins that may facilitate such attacks. The vulnerability is exploitable only on sites with an invalid API key; those with a valid key remain unaffected.
The CleanTalk Anti-Spam plugin, a subscription-based SaaS solution, is widely used to block spam registrations, form submissions, and malicious bots. With over 200,000 active installations, the flaw presents a significant risk to the WordPress ecosystem. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) underscores its low attack complexity, no required privileges, and high impact on confidentiality, integrity, and availability.
No patches have been mentioned at the time of disclosure, leaving affected sites exposed until remediation steps are taken.
Source: https://thecyberexpress.com/cleantalk-cve-2026-1490/
CleanTalk TPRM report: https://www.rankiteo.com/company/cleantalkcloud
"id": "cle1771323857",
"linkid": "cleantalkcloud",
"type": "Vulnerability",
"date": "1/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '200,000 websites',
'industry': 'Web Development, SaaS',
'name': 'CleanTalk Anti-Spam WordPress Plugin Users',
'size': '200,000 active installations',
'type': 'Software/Plugin'}],
'attack_vector': 'Network',
'description': 'A severe security flaw in the CleanTalk Anti-Spam WordPress '
'plugin (CVE-2026-1490) has left up to 200,000 websites '
'vulnerable to unauthenticated arbitrary plugin installation, '
'potentially leading to remote code execution (RCE). The '
'vulnerability, rated 9.8 (Critical) on the CVSS scale, stems '
'from an authorization bypass via reverse DNS (PTR) spoofing.',
'impact': {'operational_impact': 'Potential remote code execution (RCE) and '
'arbitrary plugin installation',
'systems_affected': 'Up to 200,000 WordPress sites'},
'post_incident_analysis': {'root_causes': 'Authorization bypass via reverse '
'DNS (PTR) spoofing in the '
'`checkWithoutToken` function due '
'to improper verification of '
'request authenticity when an '
'invalid API key is present.'},
'references': [{'source': 'Wordfence Intelligence'},
{'source': 'KCSC (Nguyen Ngoc Duc)'}],
'title': 'Critical WordPress Plugin Vulnerability Exposes 200,000 Sites to '
'Remote Attacks',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'CVE-2026-1490 (Authorization Bypass via Reverse '
'DNS Spoofing)'}