CVE-2026-1490

Name of the Vulnerable Software and Affected Versions CleanTalk versions up to and including 6.71

Description The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress has a flaw that allows unauthorized Arbitrary Plugin Installation. This is due to an authorization bypass via reverse DNS (PTR record) spoofing within the checkWithoutToken function. Unauthenticated attackers can install and activate arbitrary plugins, potentially leading to remote code execution if another vulnerable plugin is already installed and active. This is exploitable on sites with an invalid API key. Approximately 200,000 sites are potentially affected.

Recommendations Update to version 6.72 or later.