CVE-2026-8071 CleanTalk CVE debrief

Who should care

Users of the Anti-Spam by CleanTalk. Spam protection WordPress plugin before version 6.79 should update to the latest version to prevent exploitation of this vulnerability.

Technical summary

The Anti-Spam by CleanTalk. Spam protection WordPress plugin before 6.79 does not properly sanitize content within a custom shortcode used in its email-encoding feature, allowing unauthenticated attackers to inject arbitrary web scripts into approved comments that will execute when any user (including administrators) views the post. The vulnerability has a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H and is classified under CWE-79.

Defensive priority

HIGH

Recommended defensive actions

• Update the Anti-Spam by CleanTalk. Spam protection WordPress plugin to version 6.79 or later.
• Review and sanitize all user-input content within the plugin's email-encoding feature.

Evidence notes

The vulnerability was reported by [ref-4](https://wpscan.com/vulnerability/0d4635b5-2d79-4337-a1ad-6b8d02cfd64b/) and has a detailed description on [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-8071).

Official resources