Critical CleanTalk Plugin Problem Exposes Nearly 200k WordPress Sites to Remote Code Execution Risk

Serious threats have been uncovered in the widely used CleanTalk Antispam plugin. It places as many as 200,000 WordPress websites to potential risk.

This problem, known as CVE-2026-1490, is rated 9.8 out of 10 in severity, needing website owners to act immediately.

A Popular Anti-Spam Tool Under Threat

CleanTalk Antispam is a subscription-based plugin that helps WordPress sites prevent spam registrations, fake user sign-ups.

CleanTalk also prevents malicious form submissions, and bot traffic. It also includes firewall capabilities designed to block suspicious activity before it reaches the site.

The plugin works by connecting to CleanTalk’s remote servers using a valid API key. This key authenticates requests ensuring that only legitimate interactions are processed.

Where Risks Exist?

Key threats arise in the plugin’s authentication logic. When a valid API key is present, the plugin verifies requests directly with CleanTalk’s servers.

But if the API key is invalid or missing, the plugin falls back on an internal function called “CheckWithoutToken”. This validates so-called “trusted” requests.

Security experts think this fallback function does not properly confirm the identity of the requester. So, attackers exploit the weakness using reverse DNS (PTR record) spoofing.

This is a method that allows them to disguise malicious traffic as if it originates from the cleantalk.org domain.

If the spoofed request is accepted as legitimate, the attacker gains unauthorized access to important functionality.

Risk of Unauthorized Plugin Installation

The most alarming is the ability for attackers to install arbitrary plugins on vulnerable websites. Once installed, a malicious or risky plugin can be used to launch remote code execution attacks.

Remote code execution enables attackers to run arbitrary commands on the compromised server. This can result in full site takeover, sensitive data theft, website defacement, or the distribution of malware to visitors.

Given the plugin’s widespread adoption, the scale of risks is significant.

Who Is Affected?

The risks affect CleanTalk plugin versions up to and including version 6.71. Websites that do not have a valid API key configured. These are particularly vulnerable, as the flaw is triggered during fallback authentication.

Security experts recommend that all users update regardless of configuration status to ensure complete protection.

Recommended Action for Website Owners

Reports indicate that the issue has been patched in version 6.72. Website administrators have been updating immediately.

In addition to updating, site owners should:

• Verify that their CleanTalk API key is valid and correctly configured
• Review installed plugins for any unauthorized additions
• Monitor activity logs for suspicious behavior
• Conduct a broader security audit if compromise is suspected

 Reminder on Plugin Security

This incident highlights the broader risks associated with third-party WordPress plugins. Even widely trusted tools are risky and can be left unpatched.

Proper updates with proactive monitoring, and proper configuration are most effective safeguards against emerging cyber threats.