CVE-2026-1490
CVE-2026-1490 is a critical-severity vulnerability with a CVSS 3.x base score of 9.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-350.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 1% (63rd percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-5835
- Weakness: CWE-350
- Published:
- Last modified:
Description
The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS (PTR record) spoofing on the 'checkWithoutToken' function in all versions up to, and including, 6.71. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. Note: This is only exploitable on sites with an invalid API key.
Frequently asked questions
- What is CVE-2026-1490?
- The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS (PTR record) spoofing on the 'checkWithoutToken' function in all versions up to, and including, 6.71. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. Note: This is only exploitable on sites with an invalid API key.
- How severe is CVE-2026-1490?
- CVE-2026-1490 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2026-1490 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (63rd percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2026-1490?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- Does CVE-2026-1490 have an EU (EUVD) identifier?
- Yes. CVE-2026-1490 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-5835.
- When was CVE-2026-1490 published?
- CVE-2026-1490 was published on 2026-02-15 and last updated on 2026-06-17.
References
- https://plugins.trac.wordpress.org/browser/cleantalk-spam-protect/trunk/lib/Cleantalk/ApbctWP/RemoteCalls.php#L69
- https://plugins.trac.wordpress.org/browser/cleantalk-spam-protect/trunk/lib/Cleantalk/Common/Helper.php#L64
- https://plugins.trac.wordpress.org/changeset/3454488/cleantalk-spam-protect#file473
- https://www.wordfence.com/threat-intel/vulnerabilities/id/cb603be6-4a12-49e1-b8cc-b2062eb97f16?source=cve
Other CWE-350 vulnerabilities
- CVE-2023-52235 — High (CVSS 8.8): SpaceX Starlink Wi-Fi router GEN 2 before 2023.53.0 and Starlink Dish before 07dd2798-ff15-4722-a9ee-de28928aed34 allow…
- CVE-2025-8036 — High (CVSS 8.1): Thunderbird cached CORS preflight responses across IP address changes. This allowed circumventing CORS with DNS…
- CVE-2026-33002 — High (CVSS 7.5): Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin…
- CVE-2021-34561 — High (CVSS 7.5): In PEPPERL+FUCHS WirelessHART-Gateway <= 3.0.8 serious issue exists, if the application is not externally accessible or…
- CVE-2021-22884 — High (CVSS 7.5): Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes…
- CVE-2026-36604 — Medium (CVSS 6.5): Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 does not validate the HTTP Host header, enabling DNS…