CleanTalk WordPress Plugin Authorization Bypass Vulnerability Allowing Arbitrary Plugin Installation

Vulnerability

A vulnerability exists in the CleanTalk Spam Protection, Anti-Spam, FireWall WordPress plugin, in all versions through 6.71. The issue arises from an authorization bypass that allows unauthenticated users to install and activate arbitrary plugins. This vulnerability is made possible by spoofing reverse DNS (PTR records) in the 'checkWithoutToken' function. Notably, this exploit can lead to remote code execution if a vulnerable plugin is activated, and it is only applicable to sites using an invalid API key.

Impact

Exploitation of this vulnerability allows for unauthorized installation and activation of plugins, which could be used to execute remote code, especially if another vulnerable plugin is already active.

Reproduction

To reproduce this vulnerability, send a request to the WordPress site with a spoofed PTR record that tricks the server into thinking it is a CleanTalk remote call. This can be done by using a DNS service that allows PTR record manipulation. Ensure that the API key for the site is invalid, as this vulnerability only works under that condition.

Remediation

Users are advised to update the CleanTalk WordPress plugin to version 6.72 or later.

Added: Feb 15, 2026, 4:19 AM
Updated: Feb 15, 2026, 4:19 AM

Vulnerability Rating

Custom Algorithm
spread
6.4
impact
10.0
exploitability
8.0
remediation
7.7
relevance
1.9
threat
4.8
urgency
2.9
incentive
4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.