A critical authorization bypass in the popular WordPress CleanTalk anti-spam plugin. Dubbed CVE-2026-1490, the flaw affects versions up to and including 6.71, allowing unauthenticated attackers to spoof reverse DNS (PTR) records and install arbitrary plugins. It carries a CVSS 3.1 score of 9, which is 8 straight up critical.
CleanTalk, with over 100,000 active installations on WordPress.org, promises spam protection, honeypots, and firewall features. But in vulnerable setups, the checkWithoutToken function in RemoteCalls.php (line 69) trusts PTR records too unquestioningly.
Auth Bypass via PTR Spoofing
The plugin queries the attacker’s IP for a reverse DNS lookup via a helper in Common/Helper.php (line 64). If the PTR resolves to a domain resembling CleanTalk’s own, such as one that can be spoofed via a controlled nameserver, it greenlights admin-level actions without a valid API key.
This isn’t theoretical. Attackers need only control a nameserver that can spoof PTR records for their IP. Tools like dnsmasq or cloud providers with DNS APIs make this trivial. Once bypassed, they hit the plugin’s update mechanisms, slipping in malicious ZIP files hosted anywhere.
A successful installation activates the payload, enabling remote code execution (RCE), especially if the site runs other exploitable plugins. Wordfence notes exploitation requires an invalid API key, a common misconfiguration on trial or lapsed setups, but that’s no silver bullet; misconfigured keys are rampant.
| Field | Details |
|---|---|
| CVE ID | CVE-2026-1490 |
| CVSS Score | 9.8 (Critical) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Affected Versions | ≤ 6.71 |
| Patched Version | 6.72 |
Digging into the code tells the story. The vulnerable path skips token validation if the PTR matches expected patterns, echoing the site’s domain or CleanTalk endpoints.
Patch changeset 3454488 in the plugin’s Trac repo clamps this by enforcing proper auth checks, landing in version 6.72. Sites on ≤6.71? They’re sitting ducks, particularly amid rising WordPress attacks, up 20% year over year, according to recent Sucuri reports.
Nguyen Ngoc Duc from KCSC deserves credit for spotting this. His report highlights that reliance on DNSce for “security critical actions” (per CVSS rationale) amplifies risks: low complexity, no privileges required, and a network-wide scope.
Impact? Data dumps, backdoors, or site takeovers compromise full confidentiality, integrity, and availability.
They checked your CleanTalk version now. The dashboard’s Plugins screen shows it plainly; update to 6.72+ via a one-click option if possible. No auto updates? Manual fetch from wordpress.org/plugins/cleantalk spam protect.
Beyond that, audit API keys, generate new ones from CleanTalk’s dashboard, and turn off plugin installs for non-admin tools like WP CLI (e.g., wp plugin update cleantalk-spam-protectspeed bulk fixes).
This vuln underscores a broader lesson: DNS is a lookup tool, not an auth gate. We’ve seen PTR spoofing bite before, from old SSH keygen flaws to misbegotten cloud IAM.
Devs, validate with cryptographically secure tokens or mutual TLS. For operators, layer defenses that include WAF rules blocking suspicious plugin uploads or endpoint monitoring via Wordfence or similar tools.
Wordfence patched its firewall rules pre-disclosure, shielding millions. But unpatched sites linger; scans show ~15% of CleanTalk installs still vulnerable. Attackers love easy wins like this; expect roof concepts soon, if not already circulating on Exploit DB.
%20(1).webp "Technitium: Self-Hosted DNS Server for Enhanced Privacy and Security")
.webp "Cal.com’s Access Control Mess: How It Let Attackers Hijack Accounts and Dump Millions of Bookings")
