A WordPress plugin vulnerability has placed as many as 200,000 websites at potential risk, following the disclosure of a severe flaw in the CleanTalk Anti-Spam plugin.

The issue, tracked as CVE-2026-1490, carries a CVSS severity rating of 9.8 out of 10 and could allow unauthenticated attackers to install arbitrary plugins, opening the door to remote code execution under certain conditions. 

The vulnerability was identified by security researcher Nguyen Ngoc Duc (duc193) of KCSC. The advisory was published through Wordfence Intelligence, which maintains a widely referenced vulnerability database for WordPress ecosystem threats.  Also read: 70,000 WordPress Sites Exposed by Inspiro Theme Se...