A WordPress plugin vulnerability has placed as many as 200,000 websites at potential risk, following the disclosure of a severe flaw in the CleanTalk Anti-Spam plugin.

The issue, tracked as CVE-2026-1490, carries a CVSS severity rating of 9.8 out of 10 and could allow unauthenticated attackers to install arbitrary plugins, opening the door to remote code execution under certain conditions. 

The vulnerability was identified by security researcher Nguyen Ngoc Duc (duc193) of KCSC. The advisory was published through Wordfence Intelligence, which maintains a widely referenced vulnerability database for WordPress ecosystem threats. 

Also read: 70,000 WordPress Sites Exposed by Inspiro Theme Security Flaw

Technical Overview of CVE-2026-1490 Bug

The flaw affects the “Spam protection, Honeypot, Anti-Spam by CleanTalk” plugin for WordPress in all versions up to and including 6.71. The vulnerability has been formally cataloged as CVE-2026-1490 and described as: 

“Spam protection, Honeypot, Anti-Spam by CleanTalk <= 6.71 – Authorization Bypass via Reverse DNS (PTR record) Spoofing to Unauthenticated Arbitrary Plugin Installation.” 

The vulnerability stems from reliance on reverse DNS resolution for a security-critical action. Specifically, the plugin’s checkWithoutToken function fails to adequately verify the authenticity of incoming requests when a valid API key is not present. This design flaw enables attackers to spoof reverse DNS (PTR) records and impersonate trusted sources. 

The CVSS vector for CVE-2026-1490 is listed as:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 

This rating reflects a network-based attack vector (AV:N), low attack complexity (AC:L), no required privileges (PR:N), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). With a CVSS score of 9.8, the CleanTalk WordPress plugin vulnerability is categorized as critical. 

Also read: 100,000+ WordPress Sites at Risk as SureTriggers Exploit Goes Live

How the WordPress Plugin Vulnerability Works 

The CleanTalk plugin operates as a subscription-based software-as-a-service solution designed to block spam registrations, form submissions, comment spam, and malicious bots. Because it relies on a subscription model, the plugin requires a valid API key to communicate with CleanTalk servers. 

The WordPress plugin vulnerability identified in CVE-2026-1490 becomes exploitable when a website is using an invalid API key. In such cases, the plugin falls back on the checkWithoutToken function to validate “trusted” requests. However, this function does not properly authenticate the requester’s identity. 

An attacker can manipulate reverse DNS (PTR) records to make malicious requests appear as though they originate from the cleantalk.org domain. By spoofing the PTR record, the attacker bypasses authorization checks. This allows unauthenticated arbitrary plugin installation. 

Also read: All In One SEO Plugin Flaw Exposes AI Token to Low-Privilege WordPress Users

According to the Wordfence advisory: 

“The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS (PTR record) spoofing on the ‘checkWithoutToken’ function in all versions up to, and including, 6.71.” 

Once an attacker installs and activates a malicious or vulnerable plugin, they may be able to escalate the attack to remote code execution. Importantly, CVE-2026-1490 does not directly provide remote code execution by itself; rather, it enables the installation and activation of other plugins that could facilitate such attacks. 

Also read: Critical WPLMS WordPress Theme Vulnerability Puts Websites at Risk of RCE Attacks

Scope and Affected Versions 

The CleanTalk WordPress plugin vulnerability impacts versions up to and including 6.71. The affected software slug listed in the vulnerability database is “cleantalk-spam-protect,” as referenced on WordPress.org. 

At the time of disclosure, the plugin was installed on more than 200,000 websites. This widespread adoption significantly increases the potential attack surface for CVE-2026-1490. 

The vulnerability affects only installations where the API key is invalid. Sites configured with a valid API key are not susceptible to this specific authorization bypass flaw. 

Also read: W3 Total Cache Vulnerability Puts Over One Million WordPress Sites at Risk