A critical security flaw has been disclosed in the "Spam protection, Anti-Spam, FireWall by CleanTalk" WordPress plugin. The vulnerability affects websites running vulnerable versions of the plugin and could enable unauthenticated attackers to achieve remote code execution. Security firm Wordfence estimates that up to 200,000 WordPress installations may be exposed.
Key details: CleanTalk WordPress plugin vulnerability
Wordfence rates the flaw 9.8 on the CVSS scale, classifying it as critical. The vulnerability is tracked as CVE-2026-1490 and affects plugin versions up to and including 6.71. According to Wordfence, the plugin is installed on more than 200,000 websites.
- Unauthenticated attackers can install arbitrary plugins on affected WordPress sites.
- Those plugins can then be used as a path to remote code execution.
- Exploitation relies on an authorization bypass in the plugin's
checkWithoutTokenfunction. - The flaw is triggered when the plugin cannot validate its connection using a CleanTalk API key.
- Wordfence states that only sites without a valid CleanTalk API key are exposed.
- Version 6.72 of the plugin is identified as the first release that contains a fix, so affected sites should update to 6.72 or later.
Wordfence attributes the issue to weaknesses in how the plugin determines whether a request is trusted. The advisory explains that this logic can be abused without any existing account or authenticated session on the target site, which significantly increases the risk for exposed installations.
Background context
Spam protection, Anti-Spam, FireWall by CleanTalk is a subscription-based antispam service for WordPress and other platforms. The plugin blocks spam registrations, contact form submissions, and other automated activities, and includes a firewall to filter unwanted bots. CleanTalk delivers its antispam service through API integration rather than static rule sets bundled in the plugin.
Because the plugin relies on a subscription model, it communicates with CleanTalk servers using an API key. When the plugin cannot validate this connection, it falls back to the checkWithoutToken function for certain requests. According to Wordfence, weaknesses in this fallback logic enable the authorization bypass at the center of CVE-2026-1490.
Wordfence reports that the plugin attempts to verify trusted requests through reverse DNS checks against the cleantalk.org domain. Attackers can reportedly spoof PTR records, making malicious requests appear as if they originate from CleanTalk infrastructure. This technique allows unauthenticated users to trigger plugin installation endpoints without proper authorization checks.
Source citations
Technical details and mitigation guidance are documented in the Wordfence threat intelligence coverage of the vulnerability. The Wordfence advisory describes the authorization bypass, affected versions, exploitation prerequisites, and recommended fixes.
Search Engine Journal also reported on the issue in coverage by staff writer Roger Montti.
Inside Google's Universal Commerce Protocol that lets AI agents tap carts, catalogs and loyalty pricing
Google quietly upgrades AI shopping protocol: what Cart, Catalog and Identity Linking change next
Google and DocMorris Launch AI Health Companion for Europe - What Changes Next
Worried About Endless 404 Reports In Search Console? John Mueller Reveals What They Really Mean.svg)
