A critical vulnerability in the CleanTalk Anti-Spam WordPress plugin (up to version 6.71) could put as many as 200,000 websites at risk. Tracked as CVE-2026-1490 with a CVSS score of 9.8, the flaw can allow unauthenticated attackers to install arbitrary plugins and potentially achieve remote code execution, and was disclosed by Nguyen Ngoc Duc (duc193) via Wordfence Intelligence. #CleanTalk #CVE-2026-1490
Keypoints
- The vulnerability affects the CleanTalk βSpam protection, Honeypot, Anti-Spamβ plugin for WordPress in all versions up to 6.71.
- The issue is cataloged as CVE-2026-1490 and has a critical CVSS rating of 9.8.
- Unauthenticated attackers can exploit the flaw to install arbitrary plugins, which can lead to remote code execution under certain conditions.
- Security researcher Nguyen Ngoc Duc (duc193) of KCSC identified the vulnerability.
- The advisory was published through Wordfence Intelligence, and up to 200,000 sites may be exposed.
Read More: https://thecyberexpress.com/cleantalk-cve-2026-1490/