How is CVE-2026-8071 exploited?

Network reachability (required): The attacker submits a crafted comment over the network to any publicly reachable WordPress installation running the vulnerable plugin, with no need for local or physical access. Authentication (not-required): No account or credentials are needed; the comment submission endpoint is open to anonymous users by default. Victim interaction (required): A user (such as a site administrator) must view the post containing the injected comment in their browser for the malicious script to execute. Attack complexity (info): Exploitation is reliable and condition-free; once the comment is approved, the payload fires for every subsequent page view with no race condition or special environmental setup required.

What is the impact of CVE-2026-8071?

Reads session cookies and authentication tokens from the victim's browser, enabling account takeover. Performs arbitrary administrative actions in the WordPress dashboard on behalf of an administrator who views the post. Modifies site content, injects persistent backdoors, or creates rogue admin accounts using the hijacked session. Exfiltrates data visible to the victim, including customer records or other sensitive content rendered on the page.

Back to search

HIGHCVE-2026-8071Published 2026-06-10Modified 2026-06-10CNA WPScan

CVE-2026-8071: Spam protection, Honeypot, Anti-Spam by CleanTalk < 6.79 - Unauthenticated Stored XSS via Comment Shortcode Bypass

Q: What is CVE-2026-8071?

This is a stored cross-site scripting (XSS) vulnerability in the Anti-Spam by CleanTalk. Spam protection WordPress plugin before version 6.79. An unauthenticated attacker can inject malicious JavaScript into approved comments by abusing a sanitization gap in the plugin's email-encoding shortcode; the script executes in the browser of any user who views the affected post, including site administrators. Successful exploitation gives the attacker the ability to read session tokens, perform actions on behalf of the victim, and fully compromise site integrity when an administrator triggers the payload. A patched-image rebuild at version 6.79 is available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-8071 fixed?

A patched-image rebuild pinned to Anti-Spam by CleanTalk version 6.79 is available on HarborGuard for any environment found running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

The Anti-Spam by CleanTalk. Spam protection WordPress plugin before 6.79 does not properly sanitize content within a custom shortcode used in its email-encoding feature, allowing unauthenticated attackers to inject arbitrary web scripts into approved comments that will execute when any user (including administrators) views the post.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 6.79
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a stored cross-site scripting (XSS) vulnerability in the Anti-Spam by CleanTalk. Spam protection WordPress plugin before version 6.79. An unauthenticated attacker can inject malicious JavaScript into approved comments by abusing a sanitization gap in the plugin's email-encoding shortcode; the script executes in the browser of any user who views the affected post, including site administrators. Successful exploitation gives the attacker the ability to read session tokens, perform actions on behalf of the victim, and fully compromise site integrity when an administrator triggers the payload. A patched-image rebuild at version 6.79 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-8071 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built WordPress images that bundle this plugin.

Available

Triage

HarborGuard scores this CVE at CVSS 8.8 HIGH and applies per-environment compliance policy weighting to prioritize alert routing; findings are forwarded to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild pinned to Anti-Spam by CleanTalk version 6.79 is available on HarborGuard for any environment found running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker submits a crafted comment over the network to any publicly reachable WordPress installation running the vulnerable plugin, with no need for local or physical access.
AuthenticationNot required
No account or credentials are needed; the comment submission endpoint is open to anonymous users by default.
Victim interactionRequired
A user (such as a site administrator) must view the post containing the injected comment in their browser for the malicious script to execute.
Attack complexityDetail
Exploitation is reliable and condition-free; once the comment is approved, the payload fires for every subsequent page view with no race condition or special environmental setup required.

Blast Radius

Reads session cookies and authentication tokens from the victim's browser, enabling account takeover.
Performs arbitrary administrative actions in the WordPress dashboard on behalf of an administrator who views the post.
Modifies site content, injects persistent backdoors, or creates rogue admin accounts using the hijacked session.
Exfiltrates data visible to the victim, including customer records or other sensitive content rendered on the page.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-8071 is matched against customer images immediately upon ingestion, flagged at CVSS 8.8 HIGH, and routed according to each environment's compliance policy. Where a fix version (6.79) is available, HarborGuard can generate a rebuilt image at the patched version. For customers who opt into auto-remediation, the typical flow includes a rebuilt image, a regression-test run, and a pull request opened against affected workloads; for HIGH-severity issues, median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not permitted, HarborGuard surfaces the finding with remediation guidance recommending an immediate upgrade to plugin version 6.79, and optionally applying a web application firewall (WAF) rule to strip or reject requests containing the vulnerable shortcode syntax as a compensating control until the update is applied.

See how HarborGuard automates this

Fix available

6.79

Affected packages

Unknown / Anti-Spam by CleanTalk. Spam protection
< 6.79 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

wpscan.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available