CVE-2026-8071
HIGHSpam protection, Honeypot, Anti-Spam by CleanTalk < 6.79 - Unauthenticated Stored XSS via Comment Shortcode Bypass
Title source: cnaDescription
The Anti-Spam by CleanTalk. Spam protection WordPress plugin before 6.79 does not properly sanitize content within a custom shortcode used in its email-encoding feature, allowing unauthenticated attackers to inject arbitrary web scripts into approved comments that will execute when any user (including administrators) views the post.
References (1)
Core 1
Core References
Exploit exploit
vdb-entry
technical-description
https://wpscan.com/vulnerability/0d4635b5-2d79-4337-a1ad-6b8d02cfd64b/
Scores
CVSS v3
8.8
EPSS
0.0028
EPSS Percentile
19.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-79
Status
published
Products (1)
None/Anti-Spam by CleanTalk. Spam protection
< 6.79
Published
Jun 10, 2026
Tracked Since
Jun 10, 2026