Executive Summary

CVE-2026-8071 is a stored cross-site scripting (XSS) vulnerability in the Anti-Spam by CleanTalk WordPress plugin versions before 6.79. The plugin fails to properly sanitize content within a custom shortcode called [apbct_encode_data], which is used in its email-encoding feature.

This flaw allows unauthenticated attackers to inject arbitrary malicious web scripts into approved comments. These scripts execute whenever any user, including administrators, views the affected post.

The vulnerability requires the plugin's email/contact encoder feature to be active, which is typically enabled after setting up a valid CleanTalk access key.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious security impacts because it allows attackers to execute arbitrary scripts in the context of the website.

• Attackers can inject malicious code into approved comments that will run when viewed by any user, including site administrators.
• This can lead to theft of sensitive information, session hijacking, defacement, or further compromise of the website.
• Since the attacker does not need to be authenticated, the risk is higher as anyone can exploit this vulnerability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your WordPress site is running the Anti-Spam by CleanTalk plugin version prior to 6.79 and if the email/contact encoder feature is active.

To detect potential exploitation, you can search for comments containing the custom shortcode `[apbct_encode_data]` with suspicious or malformed HTML or script tags.

Example commands to help detect the vulnerability or signs of exploitation include:

• On the server, search the WordPress database comments table for the shortcode usage with potential script tags, e.g., using MySQL: `SELECT comment_content FROM wp_comments WHERE comment_content LIKE '%[apbct_encode_data]%' AND comment_content LIKE '%<script>%'`
• Use WP-CLI to list plugin versions: `wp plugin list --format=json | jq '.[] | select(.name=="cleantalk-spam-protect")'` to verify the plugin version.
• Check if the email/contact encoder feature is enabled in the plugin settings via the WordPress admin dashboard or configuration files.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update the Anti-Spam by CleanTalk WordPress plugin to version 6.79 or later, where the vulnerability has been fixed.

If updating immediately is not possible, consider temporarily disabling the email/contact encoder feature to prevent exploitation.

Additionally, review and moderate existing comments for any suspicious content containing the `[apbct_encode_data]` shortcode with embedded scripts.

Implement web application firewall (WAF) rules to block requests attempting to inject scripts via comments.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts into approved comments, which execute when viewed by any user, including administrators. This could lead to unauthorized access or manipulation of user data.

Such unauthorized script execution and potential data compromise may impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal data and preventing unauthorized access or disclosure.

However, the provided information does not explicitly detail the direct compliance implications or specific regulatory impacts.

Useful 0 Not Useful 0