A critical vulnerability in the popular CleanTalk Spam Protection plugin for WordPress exposes websites to complete takeover.
Tracked as CVE-2026-1490, this high-severity flaw allows unauthenticated attackers to bypass authorization mechanisms and install arbitrary plugins on affected sites.
The vulnerability carries a CVSS score of 9.8, indicating immediate danger to website administrators using outdated versions of the software.
The core of the issue resides within the checkWithoutToken function of the plugin. This function performs a verification process that improperly relies on Reverse DNS (PTR) resolution to validate incoming requests.
In a standard secure environment, developers should verify identities using cryptographic tokens or strict server-side checks.
However, this specific function trusts the DNS records provided during the connection. Attackers can exploit this by spoofing PTR records to make their requests appear as if they originate from CleanTalk’s own trusted servers.
| CVE ID | CVSS Score | Description |
|---|---|---|
| CVE-2026-1490 | 9.8 (Critical) | Authorization Bypass via Reverse DNS (PTR record) Spoofing in CleanTalk Spam Protection leads to unauthenticated arbitrary plugin installation and potential RCE. |
Successful exploitation of this flaw grants the attacker significant control over the WordPress installation.
By bypassing the authorization check, an unauthenticated threat actor can trigger the installation and activation of any plugin available in the WordPress repository. This capability serves as a gateway to Remote Code Execution (RCE).
Attackers typically use this access to install other plugins with known vulnerabilities or malicious tools that allow them to execute commands, modify files, and steal sensitive database information.
It is important to note that this vulnerability has a specific condition for exploitation. The attack is only viable on WordPress sites where the CleanTalk plugin is installed but currently has an invalid API key.
This scenario often occurs on development sites, abandoned projects, or sites where the subscription has lapsed but the plugin remains active.
Despite this limitation, the severity remains critical due to the low complexity of the attack and the lack of required user interaction.
The vulnerability was discovered by researcher Nguyen Ngoc Duc (duc193) and was publicly disclosed on February 14, 2026.
The CleanTalk development team has addressed this security gap in version 6.72. Administrators are strongly advised to verify their installed version and apply the update immediately to prevent unauthorized access.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google
