There was a slight vulnerability in the comment scanning interface. It was not very serious, since only the logged-in administrator could execute the malware. In other words, in order to exploit a vulnerability, you need access to a site with
Vulnerability in the CleanTalk Anti-Spam plugin for WordPress
