According to Roger Montti’s article on Search Engine Journal, “CleanTalk WordPress Plugin Vulnerability Threatens Up To 200K Sites,” a critical security flaw in the CleanTalk Antispam WordPress plugin could expose up to 200,000 websites to serious risk.
Critical 9.8 Severity Rating
Montti reports that the vulnerability has a CVSS score of 9.8/10 (Critical) and allows unauthenticated attackers to install arbitrary plugins on vulnerable sites. Those installed plugins could then be leveraged to execute remote code execution (RCE) attacks.
CleanTalk is a subscription-based anti-spam and firewall service that relies on API communication with CleanTalk’s servers. The flaw exists in the portion of the plugin responsible for validating API requests.
Root Cause: Authorization Bypass
The issue, tracked as CVE-2026-1490, stems from improper verification inside the plugin’s checkWithoutToken function. When the plugin cannot validate a request with a valid API key, it falls back to this function to determine whether the request is “trusted.”
According to Montti’s coverage of the Wordfence advisory, the function can be bypassed through reverse DNS (PTR record) spoofing, allowing attackers to impersonate requests as if they originated from the legitimate cleantalk.org domain.
Importantly, the vulnerability affects only installations without a valid API key configured, making misconfigured or inactive subscriptions particularly vulnerable.
Potential Impact
If successfully exploited, attackers could:
- Install malicious plugins
- Escalate the attack to full remote code execution
- Potentially gain control over the affected site
Because no authentication is required, the barrier to exploitation is low.
Affected Versions and Fix
The vulnerability affects all versions up to and including 6.71. It has been patched in version 6.72, and users are strongly advised to update immediately.
As Montti’s reporting underscores, critical vulnerabilities involving authorization bypass and plugin installation can rapidly escalate into full site compromise, making prompt updates essential for affected WordPress sites.