A vital vulnerability within the fashionable CleanTalk Spam Safety plugin for WordPress exposes web sites to finish takeover.
Tracked as CVE-2026-1490, this high-severity flaw permits unauthenticated attackers to bypass authorization mechanisms and set up arbitrary plugins on affected websites.
The vulnerability carries a CVSS rating of 9.8, indicating fast hazard to web site directors utilizing outdated variations of the software program.
The core of the difficulty resides inside the checkWithoutToken perform of the plugin. This perform performs a verification course of that improperly depends on Reverse DNS (PTR) decision to validate incoming requests.
In an ordinary safe surroundings, builders ought to confirm identities utilizing cryptographic tokens or strict server-side checks.
Nonetheless, this particular perform trusts the DNS data supplied in the course of the connection. Attackers can exploit this by spoofing PTR data to make their requests seem as in the event that they originate from CleanTalk’s personal trusted servers.
| CVE ID | CVSS Rating | Description |
|---|---|---|
| CVE-2026-1490 | 9.8 (Important) | Authorization Bypass through Reverse DNS (PTR document) Spoofing in CleanTalk Spam Safety results in unauthenticated arbitrary plugin set up and potential RCE. |
Profitable exploitation of this flaw grants the attacker vital management over the WordPress set up.
By bypassing the authorization test, an unauthenticated risk actor can set off the set up and activation of any plugin obtainable within the WordPress repository. This functionality serves as a gateway to Distant Code Execution (RCE).
Attackers usually use this entry to put in different plugins with recognized vulnerabilities or malicious instruments that enable them to execute instructions, modify recordsdata, and steal delicate database data.
It is very important word that this vulnerability has a particular situation for exploitation. The assault is barely viable on WordPress websites the place the CleanTalk plugin is put in however at the moment has an invalid API key.
This situation typically happens on improvement websites, deserted tasks, or websites the place the subscription has lapsed however the plugin stays energetic.
Regardless of this limitation, the severity stays vital as a result of low complexity of the assault and the shortage of required person interplay.
The vulnerability was found by researcher Nguyen Ngoc Duc (duc193) and was publicly disclosed on February 14, 2026.
The CleanTalk improvement group has addressed this safety hole in model 6.72. Directors are strongly suggested to confirm their put in model and apply the replace instantly to forestall unauthorized entry.
Comply with us on Google Information, LinkedIn, and X to Get Prompt Updates and Set GBH as a Most popular Supply in Google
