Do Son 
A plugin designed to keep spam bots at bay has inadvertently left the back door open for hackers. CleanTalk, a top-rated anti-spam solution for WordPress with over 200,000 active installations, has patched a critical vulnerability that could allow unauthenticated attackers to hijack websites.
Tracked as CVE-2026-1490, the flaw carries a near-maximum CVSS severity score of 9.8, signaling an immediate danger to affected site owners.
The vulnerability centers on a classic trust issue. The plugin, famous for its “no CAPTCHA, no puzzles” approach, failed to properly verify who was knocking at the door.
The flaw is found in the checkWithoutToken function. Attackers discovered they could bypass authorization checks using Reverse DNS (PTR) spoofing. By manipulating DNS records to make their malicious requests appear as though they originated from a trusted source, attackers could trick the plugin into granting them access without valid credentials.
The impact of this bypass is severe. Once the authorization is sidestepped, the attacker gains the ability to install and activate arbitrary plugins.
While installing a plugin might sound benign, it is the first step in a “kill chain.” Threat actors can upload older, vulnerable plugins known to contain security holes. Once these secondary plugins are activated, the attacker can leverage them to achieve Remote Code Execution (RCE), effectively taking full control of the web server.
The vulnerability is only exploitable on sites with an invalid API key. This typically affects sites where a subscription has expired, the key was entered incorrectly, or the service was set up but never fully activated.
The developers of CleanTalk have addressed this critical gap.
- Vulnerable Versions: All versions up to and including 6.71.
- Patched Version: 6.72.
Administrators are urged to verify their plugin version immediately. If your site is running an older versionβespecially if your API key configuration is outdatedβyou are at high risk of compromise. Update to version 6.72 to close the door on this DNS spoofing attack.
Related Posts:
- Hackers Can Take Over 30,000 WordPress Sites Due to Critical CleanTalk Security Flaw (CVE-2024-13365)
- Critical WordPress Plugin Flaw Exposes 200,000 Sites
- Cloudflare to push the new public DNS service, 1.1.1.1
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
