Vulnerability Description
The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS (PTR record) spoofing on the 'checkWithoutToken' function in all versions up to, and including, 6.71. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. Note: This is only exploitable on sites with an invalid API key.
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/cleantalk-spam-protect/trunk/lib/Clea
- https://plugins.trac.wordpress.org/browser/cleantalk-spam-protect/trunk/lib/Clea
- https://plugins.trac.wordpress.org/changeset/3454488/cleantalk-spam-protect#file
- https://www.wordfence.com/threat-intel/vulnerabilities/id/cb603be6-4a12-49e1-b8c
FAQ
What is CVE-2026-1490?
CVE-2026-1490 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS (PTR record) spoof...
How severe is CVE-2026-1490?
CVE-2026-1490 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-1490?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.