CVE-2026-8071: Anti-Spam by CleanTalk XSS Vulnerability – WordPress Plugin Patch Guide
A vulnerability in the Anti-Spam by CleanTalk WordPress plugin (versions before 6.79) allows attackers to inject malicious scripts into website comments without needing to log in. When site visitors or administrators view affected posts, the injected script executes in their browsers, potentially compromising accounts, stealing data, or spreading malware. The flaw exists in how the plugin's email-encoding shortcode processes user input.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-17
NVD description (verbatim)
The Anti-Spam by CleanTalk. Spam protection WordPress plugin before 6.79 does not properly sanitize content within a custom shortcode used in its email-encoding feature, allowing unauthenticated attackers to inject arbitrary web scripts into approved comments that will execute when any user (including administrators) views the post.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-8071 is a stored cross-site scripting (XSS) vulnerability in the Anti-Spam by CleanTalk plugin affecting all versions prior to 6.79. The vulnerability stems from insufficient input sanitization within a custom shortcode used for email encoding. An unauthenticated attacker can inject arbitrary JavaScript into approved comments; when the post is viewed by any user, including administrators, the malicious script executes in their browser context. The CVSS 3.1 score of 8.8 (HIGH) reflects the network-based attack vector, lack of authentication requirement, user interaction dependency, and high impact across confidentiality, integrity, and availability.
Business impact
WordPress sites running the vulnerable plugin are at risk of account compromise, data theft, and malware distribution. Because the injected script executes for all viewers—including site administrators—attackers can potentially escalate privileges, modify site content, or harvest sensitive information. For e-commerce or multi-author sites, this could result in unauthorized transactions, data breaches, or loss of user trust. The reputational damage from a compromised WordPress installation can be significant, particularly if malware is injected into pages served to visitors.
Affected systems
Any WordPress installation with the Anti-Spam by CleanTalk plugin installed and active at version 6.78 or earlier is vulnerable. The plugin is widely used for spam protection across WordPress sites of varying sizes. Exposure depends on plugin adoption and whether administrators have kept the plugin updated.
Exploitability
Exploitability is straightforward: an attacker submits a comment containing malicious JavaScript wrapped in the vulnerable shortcode, and if the comment passes moderation (or if the site allows unapproved comments), the script will execute for all subsequent viewers. No special privileges or authentication are required to craft the attack, though successful exploitation typically depends on the comment being approved or visible. The reliance on user interaction (viewing the post) is a minor friction point but does not significantly reduce risk given that legitimate site traffic will naturally trigger the payload.
Remediation
Update the Anti-Spam by CleanTalk plugin to version 6.79 or later immediately. This patch properly sanitizes input within the email-encoding shortcode, preventing script injection. Site administrators should also review published posts and comments for any suspicious or injected content, particularly those containing shortcodes, and remove or sanitize them if found.
Patch guidance
Upgrade the Anti-Spam by CleanTalk plugin to version 6.79 or later via the WordPress plugin dashboard (Plugins → Updates) or manually through the WordPress plugin repository. If automatic updates are not enabled, prioritize this update immediately given the HIGH severity and ease of exploitation. After patching, conduct a brief audit of recent approved comments to identify any malicious payloads that may have been injected prior to the update.
Detection guidance
Monitor WordPress comment activity for unusual syntax or shortcode patterns, particularly those embedding email-encoding functions. Use WordPress security plugins (e.g., Wordfence, Sucuri) configured to detect XSS and script injection attempts in comments. Log review should focus on any approved comments submitted shortly before the vulnerability disclosure or during periods when the plugin was unpatched. Additionally, review browser console errors or unexpected JavaScript execution on posts with suspected injected comments.
Why prioritize this
This vulnerability scores HIGH (CVSS 8.8) due to network accessibility, absence of authentication barriers, high impact on confidentiality and integrity, and the ease with which malicious comments can be crafted and served to administrators and users. The stored nature of the XSS means the attack persists until manually remediated, and the lack of a KEV designation does not diminish urgency—patching should not be deferred.
Risk score, explained
The CVSS 3.1 score of 8.8 reflects: (1) Network-based attack vector requiring no physical access; (2) Low complexity—standard comment submission suffices; (3) No privilege or authentication required; (4) User interaction required (viewing the post), which slightly lowers the score but remains likely in normal site usage; (5) High impact to confidentiality (session hijacking, credential theft), integrity (content modification, malware injection), and availability (potential account lockout or site defacement). The score appropriately captures the risk of widespread compromise across a WordPress installation.
Frequently asked questions
Does this vulnerability allow attackers to inject malware directly into the website?
No direct malware injection into server files occurs, but attackers can inject malicious JavaScript that executes in users' browsers when they view an affected post. This JavaScript can perform actions on behalf of the user—including stealing credentials, modifying content, or redirecting to malware sites—effectively giving attackers a foothold for further compromise.
Can this vulnerability be exploited if comments are moderated before publication?
Moderation adds a process gate: an attacker's malicious comment must be approved by a site administrator to become visible. However, if a human moderator fails to spot embedded scripts or if auto-moderation rules are inadequate, the comment can still be approved. Many sites also allow certain users to post without moderation, making this less of a true barrier in practice.
Do I need to do anything besides updating the plugin?
Update the plugin to 6.79 or later immediately. Additionally, review recent approved comments—especially those containing shortcodes or HTML-like syntax—for any suspicious or injected content, and remove or sanitize them. This prevents any pre-existing payloads from continuing to execute after you patch.
Is this vulnerability currently being exploited in the wild?
The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. However, the ease of exploitation and the high CVSS score mean it should be treated as a priority regardless. Do not rely on KEV status as a gauge of urgency—patch promptly.
This analysis is provided for informational purposes and is based on the CVE record as of the publication date. Administrators are responsible for verifying patch availability and compatibility with their specific WordPress environment before deploying updates. No liability is assumed for decisions made based on this information. Always consult the official Anti-Spam by CleanTalk security advisory and your WordPress hosting provider for environment-specific guidance. This vulnerability analysis does not constitute legal or professional security advice. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2023-54351HIGHStored XSS in WordPress Sonaar Music Plugin 4.7 – Patch & Detection Guide
- CVE-2025-11262HIGHLink Whisper Free Stored XSS Vulnerability – Analysis & Patch Guidance
- CVE-2025-14773HIGHABB T-MAC Plus XSS Vulnerability – HIGH Risk Assessment
- CVE-2025-15654HIGHFox-themes Prague Reflected XSS Vulnerability – CVSS 7.1 (HIGH)
- CVE-2025-52759HIGHReflected XSS in UnboundStudio Accordion FAQ Plugin (Versions ≤2.2.1)
- CVE-2025-67448HIGHNeterbit NW-431F Router SMS Stored XSS Vulnerability (CVSS 7.1)
- CVE-2026-11799HIGHUXSS in Mozilla Focus & Klar iOS – Patch to 151.3.1 Now
- CVE-2026-20258HIGHSplunk Enterprise & Cloud Platform Stored XSS in Dashboard HTML Panels