Unauthorized Plugin Installation in CleanTalk's Spam Protection Plugin for WordPress
CVE-2026-1490

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Spam Protection, Honeypot, Anti-spam By Cleantalk
Vendor: CVE Published:; 15 February 2026

What is CVE-2026-1490?

CVE-2026-1490 is a vulnerability found in the CleanTalk Spam Protection Plugin for WordPress, which is designed to provide anti-spam features and security for users of the WordPress platform. This specific vulnerability allows unauthorized installation of arbitrary plugins through an authorization bypass that exploits the 'checkWithoutToken' function. Such an attack can occur on any installation of the plugin pre-version 6.71, particularly when an invalid API key is in use. Attackers can leverage this weakness to install and activate malicious plugins, potentially leading to remote code execution if these plugins contain additional vulnerabilities. The ability for unauthenticated attackers to manipulate the plugin raises serious security concerns for organizations relying on this software to protect their websites from spam and other threats.

Potential impact of CVE-2026-1490

Unauthorized Plugin Installation: Exploitation of this vulnerability enables attackers to install arbitrary plugins without authorization, which can compromise the security structure of a website. Once malicious plugins are installed, they can create openings for further attacks and exploitations.
Remote Code Execution Risk: If additional vulnerable plugins are installed, attackers can execute arbitrary code on the server. This could lead to full control over the affected environment, allowing attackers to manipulate data, steal sensitive information, or deploy further malicious actions.
Compromised Website Integrity: With the ability to install and activate plugins, attackers could alter the functionality of the website, disrupt service availability, or inject malicious content, damaging a company's reputation and leading to loss of customer trust. The cumulative effect of these actions could result in significant operational and financial repercussions for organizations affected by the vulnerability.

Affected Version(s)

Spam protection, Honeypot, Anti-Spam by CleanTalk 0 <= 6.71

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/cleantalk-spam...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 15, 2026
Vulnerability Reserved
Jan 27, 2026

Credit

Nguyen Ngoc Duc

CVE-2026-1490 Data

JSON