CVE-2026-1490
Unknown Unknown - Not Provided
Authorization Bypass in CleanTalk Plugin Enables Arbitrary Plugin Installation

Publication date: 2026-02-15

Last updated on: 2026-02-15

Assigner: Wordfence

Description
The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS (PTR record) spoofing on the 'checkWithoutToken' function in all versions up to, and including, 6.71. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. Note: This is only exploitable on sites with an invalid API key.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-15
Last Modified
2026-02-15
Generated
2026-06-16
AI Q&A
2026-02-15
EPSS Evaluated
2026-06-14
NVD
CVE-2026-1490
EUVD
EUVD-2026-5835
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
cleantalk spam_protection to 6.71 (inc)
cleantalk spam_protect 9.72
cleantalk anti_spam to 6.71 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-350 The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the CleanTalk Spam protection, Anti-Spam, FireWall WordPress plugin (all versions up to and including 6.71). It allows unauthorized attackers to bypass authorization by spoofing reverse DNS (PTR) records in the 'checkWithoutToken' function. This bypass enables unauthenticated attackers to install and activate arbitrary plugins on the affected WordPress site.

This unauthorized plugin installation can be leveraged to achieve remote code execution if another vulnerable plugin is present and activated on the site. However, this exploit is only possible on sites that have an invalid API key configured.

Impact Analysis

This vulnerability can have severe impacts because it allows attackers to install and activate arbitrary plugins without authentication. This can lead to remote code execution on the affected WordPress site if other vulnerable plugins are installed.

Remote code execution can allow attackers to take full control of the website, potentially leading to data theft, site defacement, malware distribution, or using the site as a launchpad for further attacks.

The vulnerability has a high severity score (CVSS 3.1 Base Score 9.8), indicating critical impact with network attack vector, no privileges required, no user interaction, and high confidentiality, integrity, and availability impacts.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "The vulnerability involves unauthorized arbitrary plugin installation via authorization bypass through reverse DNS (PTR record) spoofing on the 'checkWithoutToken' function. Detection involves verifying if unauthorized remote calls are being made without valid tokens, especially from IPs with spoofed PTR records."}, {'type': 'paragraph', 'content': "One approach to detect exploitation attempts is to monitor HTTP requests to the WordPress site for calls to the CleanTalk plugin's remote call endpoints, checking for requests lacking valid tokens but originating from IPs with suspicious or spoofed reverse DNS entries."}, {'type': 'paragraph', 'content': 'Commands to help detect such activity could include:'}, {'type': 'list_item', 'content': 'Use web server access logs to filter requests to the CleanTalk plugin remote call endpoints, for example, using grep:'}, {'type': 'list_item', 'content': "grep 'cleantalk-spam-protect' /var/log/apache2/access.log | grep -v 'spbc_remote_call_token'"}, {'type': 'list_item', 'content': 'Perform reverse DNS lookups on suspicious IP addresses to verify if PTR records are consistent with forward DNS (FCrDNS) to detect spoofing:'}, {'type': 'list_item', 'content': 'host <IP_ADDRESS>'}, {'type': 'list_item', 'content': 'host <hostname_from_PTR>'}, {'type': 'list_item', 'content': 'Compare the IP from the forward lookup with the original IP to detect mismatches indicating PTR spoofing.'}, {'type': 'paragraph', 'content': "Additionally, monitoring plugin debug information via the CleanTalk plugin's debug remote call (if accessible and secured) can provide detailed plugin state and help identify unauthorized plugin installations."}] [3, 4]

Mitigation Strategies

Immediate mitigation steps include:

  • Update the CleanTalk Spam protection, Anti-Spam, FireWall plugin to version 6.72 or later, as the vulnerability affects all versions up to and including 6.71.
  • Ensure that your WordPress site uses a valid API key for the CleanTalk plugin, since the vulnerability is only exploitable on sites with an invalid API key.
  • Restrict or monitor remote calls to the CleanTalk plugin endpoints, especially those that do not include valid authentication tokens.
  • Implement network-level protections such as firewall rules to block suspicious IP addresses or IP ranges that do not resolve to legitimate CleanTalk servers.
  • Regularly audit installed plugins and their activation status to detect any unauthorized plugin installations.

These steps help prevent unauthorized plugin installation and reduce the risk of remote code execution through chained vulnerabilities.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1490. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart