Spam protection, Honeypot, Anti-Spam by CleanTalk < 6.79 – Unauthenticated Stored XSS via Comment Shortcode Bypass | CVE 2026-8071

Description

The plugin does not properly sanitize content within a custom shortcode used in its email-encoding feature, allowing unauthenticated attackers to inject arbitrary web scripts into approved comments that will execute when any user (including administrators) views the post.

Proof of Concept

**Prerequisites**: the plugin's email/contact encoder must be active. The encoder is gated by `$apbct->key_is_ok` and only registers its hooks once a valid CleanTalk access key is configured (the standard post-onboarding state).

1. Install and activate the `cleantalk-spam-protect` plugin v6.78.
2. As admin, visit Settings → Anti Spam by Cleantalk (`/wp-admin/options-general.php?page=cleantalk`) and click the 'Get Access Key' button to register the site with CleanTalk (the WP URL must not already be registered; `wordpress.local` is taken).
3. As an unauthenticated visitor, post a comment on any post with the following content (use a real-looking email address so CleanTalk's auto-moderation may approve it):

```html
[apbct_encode_data]<a href="http://test.com/" title="[/apbct_encode_data]">Test</a><a title="style='display:block;content-visibility:auto' oncontentvisibilityautostatechange='alert(1337);//'">Stealthcopter & Viper</a>
```

4. If auto-approval does not occur, approve the comment manually as Admin via `/wp-admin/edit-comments.php`.
5. View the post — `alert(1337)` fires for any visitor (including admins) as the comment scrolls into view.