CVE-2026-8071: CleanTalk Anti-Spam Plugin XSS Vulnerability

CVE-2026-8071 Overview

CVE-2026-8071 is a stored Cross-Site Scripting (XSS) vulnerability [CWE-79] in the Anti-Spam by CleanTalk WordPress plugin. The flaw affects all versions prior to 6.79. The plugin fails to sanitize content within a custom shortcode used by its email-encoding feature. Unauthenticated attackers can inject arbitrary JavaScript into approved comments. The malicious payload executes in any visitor's browser, including site administrators viewing the affected post.

Critical Impact

Unauthenticated attackers can inject persistent scripts that execute in administrator browsers, enabling session theft, account takeover, and full WordPress site compromise.

Affected Products

• Anti-Spam by CleanTalk WordPress plugin versions prior to 6.79
• WordPress sites using the CleanTalk email-encoding shortcode feature
• Any WordPress installation with the vulnerable plugin active in comment workflows

Discovery Timeline

• 2026-06-10 - CVE-2026-8071 published to the National Vulnerability Database (NVD)
• 2026-06-10 - Last updated in NVD database

Technical Details for CVE-2026-8071

Vulnerability Analysis

The vulnerability is a stored Cross-Site Scripting (XSS) flaw classified under [CWE-79]. The Anti-Spam by CleanTalk plugin provides an email-encoding feature that processes a custom shortcode within comment content. The shortcode handler renders user-supplied input back into the page without proper output encoding or sanitization.

Attackers submit comments containing the vulnerable shortcode wrapped around JavaScript payloads. Once a comment is approved, either automatically or by a moderator, the payload becomes persistent within the post's rendered HTML. Every subsequent visitor to the post executes the injected script in their browser session.

The attack does not require authentication. Any anonymous visitor can submit the malicious comment through the standard WordPress commenting interface. User interaction is required only on the victim side, as a user must view the affected post for the payload to fire.

Root Cause

The plugin's shortcode parser handles the email-encoding feature without escaping HTML control characters or stripping script-capable constructs before rendering. Input passed to the shortcode is treated as trusted markup rather than untrusted user data. This results in JavaScript executing in the document context of the WordPress site.

Attack Vector

The attack originates over the network through standard HTTP comment submission. Exploitation requires user interaction in the form of a victim viewing the comment-bearing post. The scope is unchanged, but successful exploitation impacts confidentiality, integrity, and availability of the WordPress instance, particularly when an administrator triggers the payload.

The vulnerability mechanism is documented in the WPScan Vulnerability Advisory. No public proof-of-concept code is verified at this time.

Detection Methods for CVE-2026-8071

Indicators of Compromise

• Approved WordPress comments containing the CleanTalk email-encoding shortcode wrapped around <script> tags, javascript: URIs, or event handler attributes such as onerror and onload
• Unexpected administrator session activity, password resets, or new privileged users created shortly after viewing posts with recent comments
• Outbound browser requests from admin sessions to attacker-controlled domains immediately after rendering a comment thread

Detection Strategies

• Audit the wp_comments table for shortcode patterns combined with HTML tags, script keywords, or encoded payloads such as <script
• Monitor WordPress admin sessions for anomalous XHR or fetch requests to external hosts originating from post or comment pages
• Compare the installed CleanTalk plugin version against the fixed release 6.79 across all managed WordPress instances

Monitoring Recommendations

• Enable web application firewall (WAF) logging for comment submission endpoints and alert on shortcode patterns containing script-like content
• Forward WordPress access and authentication logs to a centralized analytics platform to correlate comment approvals with subsequent administrative actions
• Track plugin file integrity and configuration changes to detect attacker persistence following a successful XSS-driven account takeover

How to Mitigate CVE-2026-8071

Immediate Actions Required

• Update the Anti-Spam by CleanTalk plugin to version 6.79 or later on every WordPress site under management
• Review and purge recent comments containing the vulnerable shortcode or any HTML or JavaScript payloads
• Rotate administrator credentials and invalidate active sessions if administrators viewed posts with suspicious comments before patching

Patch Information

The vendor addressed the issue in Anti-Spam by CleanTalk version 6.79. The fix introduces proper sanitization of shortcode content in the email-encoding feature. Administrators should apply the update through the WordPress plugin manager or by deploying the updated package via their configuration management pipeline. Refer to the WPScan Vulnerability Advisory for additional technical context.

Workarounds

• Disable the Anti-Spam by CleanTalk plugin until the patched version can be deployed
• Set comment moderation to require manual approval and reject any comment containing raw shortcodes or HTML tags
• Deploy a WAF rule that blocks comment submissions containing the CleanTalk email-encoding shortcode combined with <, >, or javascript: substrings

# Update the CleanTalk plugin using WP-CLI on each affected site
wp plugin update cleantalk-spam-protect --version=6.79

# Verify the installed version
wp plugin get cleantalk-spam-protect --field=version