Critical CleanTalk Plugin Vulnerability Allows WordPress Site Takeover via DNS Spoofing
Take action: If you are using ""Spam protection, Anti-Spam, FireWall by CleanTalk", update ASAP. Never rely on DNS records for authentication because they are easily spoofed by attackers.
Learn More
CleanTalk, a WordPress spam protection plugin, has patched a critical vulnerability that allows unauthenticated attackers to gain administrative control over websites.
The flaw is tracked as CVE-2026-1490 (CVSS score 9.8) - an authorization bypass vulnerability exists in the checkWithoutToken function due to its insecure reliance on Reverse DNS (PTR) records for request verification. Attackers can exploit this by spoofing PTR records to make their malicious requests appear as if they originate from CleanTalk’s trusted infrastructure. Because the function fails to require a cryptographic token when a PTR match is found, an attacker can bypass standard security checks to trigger administrative actions like installation and activation of arbitrary plugins from the WordPress repository.
By successfully installing a rogue plugin, an attacker can effectively gain administrative powers, run remote code (RCE), modify sensitive system files, or steal user data from the WordPress database.
This vulnerability affects the "Spam protection, Anti-Spam, FireWall by CleanTalk" plugin in all versions up to and including 6.71.
CleanTalk has released version 6.72 to patch the issue by removing the sole reliance on PTR records for authorization. WordPress administrators are strongly urged to update to the latest version immediately to prevent exploitation. If an update is not possible, the plugin should be deactivated and removed to eliminate the attack surface.
