Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total5
Critical2
High3
Medium0
Reset
Showing 1-5 of 5 records
Threat Entry Updated 2026-04-15

CVE-2026-1490 - Firewall By Cleantalk Plugin

The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS (PTR record) spoofing on the 'checkWithoutToken' function in all versions up to, and including, 6.71. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. Note: This is only exploitable on sites with an invalid API key.

PLUGIN Firewall By Cleantalk

CVE-2026-1490

CRITICAL CVSS 9.8 2026-02-15
Open Full Technical Breakdown
Threat Entry Updated 2025-07-12

CVE-2024-10781 - Firewall By Cleantalk Plugin

The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an missing empty value check on the 'api_key' value in the 'perform' function in all versions up to, and including, 6.44. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.

PLUGIN Firewall By Cleantalk

CVE-2024-10781

HIGH CVSS 8.1 2024-11-26
Open Full Technical Breakdown
Threat Entry Updated 2025-07-12

CVE-2024-10542 - Firewall By Cleantalk Plugin

The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function in all versions up to, and including, 6.43.2. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.

PLUGIN Firewall By Cleantalk

CVE-2024-10542

CRITICAL CVSS 9.8 2024-11-26
Open Full Technical Breakdown
Threat Entry Updated 2025-05-09

CVE-2022-3302 - Firewall By Cleantalk Plugin

The Spam protection, AntiSpam, FireWall by CleanTalk WordPress plugin before 5.185.1 does not validate ids before using them in a SQL statement, which could lead to SQL injection exploitable by high privilege users such as admin

PLUGIN Firewall By Cleantalk

CVE-2022-3302

HIGH CVSS 7.2 2022-10-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24295 - Firewall By Cleantalk Plugin

It was possible to exploit an Unauthenticated Time-Based Blind SQL Injection vulnerability in the Spam protection, AntiSpam, FireWall by CleanTalk WordPress Plugin before 5.153.4. The update_log function in lib/Cleantalk/ApbctWP/Firewall/SFW.php included a vulnerable query that could be injected via the User-Agent Header by manipulating the cookies set by the Spam protection, AntiSpam, FireWall by CleanTalk WordPress plugin before 5.153.4, sending an initial request to obtain a ct_sfw_pass_key cookie and then manually setting a separate ct_sfw_passed cookie and disallowing it from being reset.

PLUGIN Firewall By Cleantalk

CVE-2021-24295

HIGH CVSS 7.5 2021-05-17
Open Full Technical Breakdown
Scroll to top