CVE-2026-1490CRITICAL 9.8EPSS p62.9%

CVE-2026-1490CVE-2026-1490

Description

The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS (PTR record) spoofing on the 'checkWithoutToken' function in all versions up to, and including, 6.71. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. Note: This is only exploitable on sites with an invalid API key.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS1.16% probability of exploitation · percentile 62.9% · 2026-06-19T12:03:05Z
Published2026-02-15
Last modified2026-04-15

Underlying weaknesses· 1

CWE-350

References

  1. https://plugins.trac.wordpress.org/browser/cleantalk-spam-protect/trunk/lib/Cleantalk/ApbctWP/RemoteCalls.php#L69
  2. https://plugins.trac.wordpress.org/browser/cleantalk-spam-protect/trunk/lib/Cleantalk/Common/Helper.php#L64
  3. https://plugins.trac.wordpress.org/changeset/3454488/cleantalk-spam-protect#file473
  4. https://www.wordfence.com/threat-intel/vulnerabilities/id/cb603be6-4a12-49e1-b8cc-b2062eb97f16?source=cve

1

TypeTargetConfidenceTier
WeaknessReliance on Reverse DNS Resolution for a Security-Critical Actioncwe-3500%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-8071
CVE
CVE-2026-1499
CVE
CVE-2021-47984
CVE
CVE-2026-2001
CVE
CVE-2026-6443
CVE
CVE-2026-6235
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.