Massive Security Flaw Exposed in CleanTalk Plugin: Are 200K WordPress Sites at Risk?

Imagine relying on a plugin that guards your website against spam and bots—only to find out it has an Achilles’ heel so glaring that hackers can slip right through and hijack your site. Sounds like a nightmare, right? Well, that’s exactly what’s happened with the CleanTalk Antispam WordPress plugin, a favorite of over 200,000 website owners. Rated a staggering 9.8 out of 10 for severity, this vulnerability lets unauthenticated attackers sneak in and install plugins that could unleash full-blown remote code execution attacks. What’s wild is that the flaw stems from a seemingly routine function that’s supposed to check for a valid API key—but if that check fails, it trusts a sneaky fallback method that hackers can exploit by faking their identity from the cleantalk.org domain. The kicker? Only those using the plugin without a valid API key are at risk. So, if you’ve got CleanTalk running on your site, it’s time to ask: are you really as protected as you thought? Updating to the latest version might just save you from a digital disaster. LEARN MORE.

An advisory was issued for a critical vulnerability rated 9.8/10 in the CleanTalk Antispam WordPress plugin, installed in over 200,000 websites. The vulnerability enables unauthenticated attackers to install vulnerable plugins that can then be used to launch remote code execution attacks.

CleanTalk Antispam Plugin

The CleanTalk Antispam plugin is a subscription based software as a service that protects websites from inauthentic user actions like spam subscriptions, registrations, form emails, plus a firewall for blocking bad bots.

Because it’s a subscription based plugin it relies on a valid API in to reach out to the CleanTalk servers and this is the part of the plugin is where the flaw that enabled the vulnerability was discovered.

CleanTalk Plugin Vulnerability CVE-2026-1490

The plugin contains a WordPress function that checks if a valid API key is being used to contact the CleanTalk servers. A WordPress function is PHP code that performs a specific task.

In this specific case, if the plugin cannot validate a connection to CleanTalk’s servers because of an invalid API key, it relies on the checkWithoutToken function to verify “trusted” requests.

The problem is that the checkWithoutToken function doesn’t properly verify the identity of the requester. An attacker is able to misrepresent their identity as coming from the cleantalk.org domain and then launch their attacks. Thus, this vulnerability only affects plugins that do not have a valid API key.

The Wordfence advisory describes the vulnerability:

“The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS (PTR record) spoofing on the ‘checkWithoutToken’ function…”

Recommended Action

The vulnerability affects CleanTalk plugin versions up to an including 6.71. Wordfence recommends users update their installations to the latest version at the time of writing, version 6.72.