CVE-2026-1490
Published: 15 February 2026
Summary
CVE-2026-1490 is a critical-severity Reliance on Reverse DNS Resolution for a Security-Critical Action (CWE-350) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-7 (Software, Firmware, and Information Integrity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of the specific flaw in the CleanTalk plugin's checkWithoutToken function, eliminating the authorization bypass via PTR spoofing.
Prohibits user-installed software such as arbitrary plugins unless approved, directly countering the vulnerability's ability to install unauthorized plugins.
Monitors and verifies software integrity to detect unauthorized plugin installations and activations resulting from exploitation of the authorization bypass.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass in public-facing WordPress plugin directly enables remote exploitation of the application to install arbitrary plugins, matching T1190; chaining to RCE is secondary.
NVD Description
The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS (PTR record) spoofing on the 'checkWithoutToken' function in all versions up to, and including, 6.71.…
more
This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. Note: This is only exploitable on sites with an invalid API key.
Deeper analysisAI
CVE-2026-1490 is an authorization bypass vulnerability in the Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress, affecting all versions up to and including 6.71. It stems from reverse DNS (PTR record) spoofing in the 'checkWithoutToken' function, enabling unauthorized arbitrary plugin installation. The issue is classified under CWE-350 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation is only possible on sites configured with an invalid API key.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By spoofing the PTR record, they bypass authorization checks to install and activate arbitrary plugins. This capability can be chained with another vulnerable plugin to achieve remote code execution.
Advisories and references, including Wordfence threat intelligence and WordPress plugin trac details, point to affected code in RemoteCalls.php (line 69) and Helper.php (line 64), with a patch available in changeset 3454488. Security practitioners should review these sources for patch deployment and mitigation guidance.
Details
- CWE(s)