Vulnerabilities and security researches forcleantalk-spam-protect cleantalk-spam-protect
Direction: descendingJun 11, 2026
Spam protection, Anti-Spam, FireWall by CleanTalk # CVE-2026-8071
- CVE, Research URL
- Date
- Jun 10, 2026
- Research Description
- The Anti-Spam by CleanTalk. Spam protection WordPress plugin before 6.79 does not properly sanitize content within a custom shortcode used in its email-encoding feature, allowing unauthenticated attackers to inject arbitrary web scripts into approved comments that will execute when any user (including administrators) views the post.
- Affected versions
-
max 6.79.
- Status
-
vulnerable
Apr 13, 2026
Spam protection, Anti-Spam, FireWall by CleanTalk # CVE-2026-1490
- CVE, Research URL
- Date
- Feb 15, 2026
- Research Description
- The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS (PTR record) spoofing on the 'checkWithoutToken' function in all versions up to, and including, 6.71. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. Note: This is only exploitable on sites with an invalid API key.
- Affected versions
-
max 6.72.
- Status
-
vulnerable
Nov 26, 2024
Spam protection, Anti-Spam, FireWall by CleanTalk # CVE-2024-10542
- CVE, Research URL
- Date
- Nov 26, 2024
- Research Description
- The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function in all versions up to, and including, 6.43.2. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.
- Affected versions
-
max 6.44.
- Status
-
vulnerable
Spam protection, Anti-Spam, FireWall by CleanTalk # CVE-2024-10781
- CVE, Research URL
- Date
- Nov 26, 2024
- Research Description
- The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an missing empty value check on the 'api_key' value in the 'perform' function in all versions up to, and including, 6.44. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.
- Affected versions
-
max 6.45.
- Status
-
vulnerable
Aug 02, 2024
Spam protection, Anti-Spam, FireWall by CleanTalk # PSC-2024-64521
- PSC, Research URL
- Date
- Apr 10, 2025
- Research Description
- Spam Protection, Anti-Spam, Firewall by CleanTalk is a top-rated solution designed to safeguard your WordPress site from spam without the need for CAPTCHAs, questions, puzzles, or any other intrusive methods. This universal anti-spam plugin offers a seamless and effective way to stop spam across comments, registrations, contact emails, orders, bookings, subscriptions, surveys, and more. CleanTalk’s cloud-based service ensures real-time email validation and comprehensive spam protection, enhancing the overall quality and performance of your website while being compatible with GDPR regulations.
- Affected versions
-
Min 6.79.1, max 6.79.1.
- Status
-
SAFE & CERTIFIED
Jun 10, 2024
Spam protection, Anti-Spam, FireWall by CleanTalk # CVE-2023-33996
- CVE, Research URL
- Date
- Dec 13, 2024
- Research Description
- Missing Authorization vulnerability in СleanTalk - Anti-Spam Protection Spam protection, AntiSpam, FireWall by CleanTalk allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spam protection, AntiSpam, FireWall by CleanTalk: from n/a through 6.10.
- Affected versions
-
max 6.11.
- Status
-
vulnerable
Jun 07, 2024
Spam protection, Anti-Spam, FireWall by CleanTalk # CVE-2021-24295
- CVE, Research URL
- Date
- May 17, 2021
- Research Description
- It was possible to exploit an Unauthenticated Time-Based Blind SQL Injection vulnerability in the Spam protection, AntiSpam, FireWall by CleanTalk WordPress Plugin before 5.153.4. The update_log function in lib/Cleantalk/ApbctWP/Firewall/SFW.php included a vulnerable query that could be injected via the User-Agent Header by manipulating the cookies set by the Spam protection, AntiSpam, FireWall by CleanTalk WordPress plugin before 5.153.4, sending an initial request to obtain a ct_sfw_pass_key cookie and then manually setting a separate ct_sfw_passed cookie and disallowing it from being reset.
- Affected versions
-
max 5.153.4.
- Status
-
vulnerable
Spam protection, Anti-Spam, FireWall by CleanTalk # CVE-2021-24131
- CVE, Research URL
- Date
- Mar 18, 2021
- Research Description
- Unvalidated input in the Anti-Spam by CleanTalk WordPress plugin, versions before 5.149, lead to multiple authenticated SQL injection vulnerabilities, however, it requires high privilege user (admin+).
- Affected versions
-
max 5.149.
- Status
-
vulnerable
Spam protection, Anti-Spam, FireWall by CleanTalk # CVE-2019-17515
- CVE, Research URL
- Date
- Nov 14, 2019
- Research Description
- The CleanTalk cleantalk-spam-protect plugin before 5.127.4 for WordPress is affected by: Cross Site Scripting (XSS). The impact is: Allows an attacker to execute arbitrary HTML and JavaScript code via the from or till parameter. The component is: inc/cleantalk-users.php and inc/cleantalk-comments.php. The attack vector is: When the Administrator is logged in, a reflected XSS may execute upon a click on a malicious URL.
- Affected versions
-
max 5.127.4.
- Status
-
vulnerable
Spam protection, Anti-Spam, FireWall by CleanTalk # CVE-2022-28222
- CVE, Research URL
- Date
- Apr 20, 2022
- Research Description
- The CleanTalk AntiSpam plugin <= 5.173 for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) via the $_REQUEST['page'] parameter in`/lib/Cleantalk/ApbctWP/FindSpam/ListTable/Users.php`
- Affected versions
-
max 5.174.1.
- Status
-
vulnerable
Spam protection, Anti-Spam, FireWall by CleanTalk # CVE-2022-28221
- CVE, Research URL
- Date
- Apr 20, 2022
- Research Description
- The CleanTalk AntiSpam plugin <= 5.173 for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) via the $_REQUEST['page'] parameter in`/lib/Cleantalk/ApbctWP/FindSpam/ListTable/Comments.php`
- Affected versions
-
max 5.174.1.
- Status
-
vulnerable
Spam protection, Anti-Spam, FireWall by CleanTalk # CVE-2022-3302
- CVE, Research URL
- Date
- Oct 25, 2022
- Research Description
- The Spam protection, AntiSpam, FireWall by CleanTalk WordPress plugin before 5.185.1 does not validate ids before using them in a SQL statement, which could lead to SQL injection exploitable by high privilege users such as admin
- Affected versions
-
max 5.185.1.
- Status
-
vulnerable
Spam protection, Anti-Spam, FireWall by CleanTalk # CVE-2023-51696
- CVE, Research URL
- Date
- Feb 29, 2024
- Research Description
- Cross-Site Request Forgery (CSRF) vulnerability in СleanTalk - Anti-Spam Protection Spam protection, Anti-Spam, FireWall by CleanTalk.This issue affects Spam protection, Anti-Spam, FireWall by CleanTalk: from n/a through 6.20.
- Affected versions
-
max 6.21.
- Status
-
vulnerable
Spam protection, Anti-Spam, FireWall by CleanTalk # CVE-2023-51535
- CVE, Research URL
- Date
- Jan 05, 2024
- Research Description
- Cross-Site Request Forgery (CSRF) vulnerability in СleanTalk - Anti-Spam Protection Spam protection, Anti-Spam, FireWall by CleanTalk.This issue affects Spam protection, Anti-Spam, FireWall by CleanTalk: from n/a through 6.20.
- Affected versions
-
max 6.21.
- Status
-
vulnerable