Etavrian
keyboard_arrow_right Created with Sketch.
News
keyboard_arrow_right Created with Sketch.
Critical CleanTalk WordPress Flaw Exposes 200,000 Sites - Are You Still Vulnerable?

Critical CleanTalk WordPress Flaw Exposes 200,000 Sites - Are You Still Vulnerable?

Author:
Etavrian AI
Reviewed:
Andrii Daniv
2
min read
Feb 17, 2026
Hidden plugin installs spiking on website dashboard with cracked shield and security report

A critical security flaw has been disclosed in the "Spam protection, Anti-Spam, FireWall by CleanTalk" WordPress plugin. The vulnerability affects websites running vulnerable versions of the plugin and could enable unauthenticated attackers to achieve remote code execution. Security firm Wordfence estimates that up to 200,000 WordPress installations may be exposed.

CleanTalk WordPress Plugin Vulnerability Threatens Up To 200K Sites
CleanTalk's antispam WordPress plugin vulnerability is estimated to affect up to 200,000 sites.

Key details: CleanTalk WordPress plugin vulnerability

Wordfence rates the flaw 9.8 on the CVSS scale, classifying it as critical. The vulnerability is tracked as CVE-2026-1490 and affects plugin versions up to and including 6.71. According to Wordfence, the plugin is installed on more than 200,000 websites.

  • Unauthenticated attackers can install arbitrary plugins on affected WordPress sites.
  • Those plugins can then be used as a path to remote code execution.
  • Exploitation relies on an authorization bypass in the plugin's checkWithoutToken function.
  • The flaw is triggered when the plugin cannot validate its connection using a CleanTalk API key.
  • Wordfence states that only sites without a valid CleanTalk API key are exposed.
  • Version 6.72 of the plugin is identified as the first release that contains a fix, so affected sites should update to 6.72 or later.

Wordfence attributes the issue to weaknesses in how the plugin determines whether a request is trusted. The advisory explains that this logic can be abused without any existing account or authenticated session on the target site, which significantly increases the risk for exposed installations.

Background context

Spam protection, Anti-Spam, FireWall by CleanTalk is a subscription-based antispam service for WordPress and other platforms. The plugin blocks spam registrations, contact form submissions, and other automated activities, and includes a firewall to filter unwanted bots. CleanTalk delivers its antispam service through API integration rather than static rule sets bundled in the plugin.

Because the plugin relies on a subscription model, it communicates with CleanTalk servers using an API key. When the plugin cannot validate this connection, it falls back to the checkWithoutToken function for certain requests. According to Wordfence, weaknesses in this fallback logic enable the authorization bypass at the center of CVE-2026-1490.

Wordfence reports that the plugin attempts to verify trusted requests through reverse DNS checks against the cleantalk.org domain. Attackers can reportedly spoof PTR records, making malicious requests appear as if they originate from CleanTalk infrastructure. This technique allows unauthenticated users to trigger plugin installation endpoints without proper authorization checks.

Source citations

Technical details and mitigation guidance are documented in the Wordfence threat intelligence coverage of the vulnerability. The Wordfence advisory describes the authorization bypass, affected versions, exploitation prerequisites, and recommended fixes.

Search Engine Journal also reported on the issue in coverage by staff writer Roger Montti.

Quickly summarize and get insighs with: 
Author
Etavrian AI
Etavrian AI is developed by Andrii Daniv to produce and optimize content for etavrian.com website.
Reviewed
Andrew Daniv, Andrii Daniv
Andrii Daniv
Andrii Daniv is the founder and owner of Etavrian, a performance-driven agency specializing in PPC and SEO services for B2B and e‑commerce businesses.
Quickly summarize and get insighs with: 
Table of contents
Table of contents

More articles

Minimalist illustration of AI checkout copilot hub with analytics chat checkout and person toggling switchWooCommerce 7's AI Leap: Sidekick-style Assistant and a New Role Between ChatGPT and Google
3
min read
Minimalist illustration of AI funnel siphoning search results into ad revenue chart and regulatory shieldInside PMC's antitrust lawsuit over Google's AI Overviews - and what it could change
3
min read
Minimalist illustration of website status panel Offline badge Live dot JS toggle with pointing personGoogle AI Search Called This Site Offline - John Mueller Reveals the Overlooked Cause
2
min read
Minimalist content pipeline illustrating HTML versus Markdown funnel into AI token saving with SEO alertCloudflare's New AI Markdown Trick Promises Fewer Tokens - and Fresh SEO Debates
3
min read
logo
Ready to speak with a
marketing expert?
Book a call
Services
SEO servicesGoogle Ads servicesMeta Ads servicesContent Marketing services
Company
About UsContact UsIndustriesOur Mission
Resources
NewsBlogCase studies
© 2025 Etavrian. All Rights Reserved.
Privacy Policy & Terms of Use
LinkedInFacebookTwitter