The CleanTalk Spam Protection plugin for WordPress has a serious flaw that allows hackers to get around authorization and take over websites. This vulnerability, known as CVE-2026-1490, impacts thousands of WordPress installations that use the spam filtering plugin. It presents an immediate risk with a CVSS score of 9.8, allowing unauthorized attackers to install any plugin and possibly run remote code.

The checkWithoutToken function in the plugin is the source of the issue. Rather than using safe techniques like cryptographic tokens, this procedure verifies requests using Reverse DNS (PTR) records. Attackers take advantage of this by imitating requests from CleanTalk's trusted servers by spoofing PTR records. The attack is simple because no authentication token is required.

Description of CVE ID CVSS Score CVE-2026-1490 9.8 (Critical) Authorization Bypass through Reverse DNS (PTR record) Potential RCE and unauthenticated arbitrary plugin installation result from spoofing in CleanTalk Spam Protection. Attackers acquire full administrator-like powers after they have been exploited. Any plugin from the WordPress repository can be installed by them, even ones with known vulnerabilities or backdoors.

This creates opportunities for persistent access, file modifications, database theft, and remote code execution (RCE). A malicious plugin might, for instance, exfiltrate user data or upload webshells. The CleanTalk plugin needs to be installed on a WordPress website with an invalid or missing API key in order for it to be exploited. This affects difficult situations where plugins remain unrenewable, such as development environments, lapsed subscriptions, or abandoned websites.

The threat is increased by the low attack complexity and lack of user interaction. On February 14, 2026, security researcher Nguyen Ngoc Duc (duc193) discovered the problem and made it public. By bolstering verification beyond PTR records, CleanTalk resolved it in version 6.72.

WordPress administrators should check and update their plugin version right away. If patching isn't practical, sites with invalid API keys run the risk of having the plugin deactivated or having their keys renewed. A crucial lesson is highlighted by this flaw: never rely solely on DNS for authorization. WordPress users should enable auto-updates, conduct routine plugin audits, and keep an eye out for invalid API states.

Quick action stops takeover as attackers look for quick wins. Make ZeroOwl your Google Preferred Source.