Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for Stop Spammers Classic by webguyio

    CVE-2025-14795 (GCVE-0-2025-14795)

    Vulnerability from nvd – Published: 2026-01-28 13:26 – Updated: 2026-04-08 16:55
    VLAI
    Title
    Stop Spammers Classic <= 2026.1 - Cross-Site Request Forgery via Email Allowlist
    Summary
    The Stop Spammers Classic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2026.1. This is due to missing nonce validation in the ss_addtoallowlist class. This makes it possible for unauthenticated attackers to add arbitrary email addresses to the spam allowlist via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The vulnerability was partially patched in version 2026.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Vendor Product Version
    webguyio Stop Spammers Classic Affected: 0 , ≤ 2026.1 (semver)
    Create a notification for this product.
    Credits
    Stephanie Walters
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-14795",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-28T14:26:16.361442Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-28T14:28:44.994Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Stop Spammers Classic",
              "vendor": "webguyio",
              "versions": [
                {
                  "lessThanOrEqual": "2026.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Stephanie Walters"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Stop Spammers Classic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2026.1. This is due to missing nonce validation in the ss_addtoallowlist class. This makes it possible for unauthenticated attackers to add arbitrary email addresses to the spam allowlist via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The vulnerability was partially patched in version 2026.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:55:49.327Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5d6f38d7-a769-422d-ae3f-565cb1cc8a73?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/stop-spammer-registrations-plugin/tags/2025.4/classes/ss_addtoallowlist.php#L21"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3436357/"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3440788/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-01-27T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Stop Spammers Classic \u003c= 2026.1 - Cross-Site Request Forgery via Email Allowlist"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-14795",
        "datePublished": "2026-01-28T13:26:14.651Z",
        "dateReserved": "2025-12-16T18:04:36.930Z",
        "dateUpdated": "2026-04-08T16:55:49.327Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-2935 (GCVE-0-2025-2935)

    Vulnerability from nvd – Published: 2025-06-06 06:42 – Updated: 2026-04-08 17:15
    VLAI
    Title
    Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms <= 2024.7 - Cross-Site Request Forgery to Multiple Administrative Actions
    Summary
    The Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2024.7. This is due to missing or incorrect nonce validation in the 'ss_option_maint.php' and 'ss_user_filter_list' files. This makes it possible for unauthenticated attackers to delete pending comments, and re-enable a previously blocked user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Vendor Product Version
    webguyio Stop Spammers Classic Affected: 0 , ≤ 2024.7 (semver)
    Create a notification for this product.
    Credits
    Noah Stead
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2935",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-06T15:42:31.489460Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-06T16:08:45.282Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Stop Spammers Classic",
              "vendor": "webguyio",
              "versions": [
                {
                  "lessThanOrEqual": "2024.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Noah Stead"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2024.7. This is due to missing or incorrect nonce validation in the \u0027ss_option_maint.php\u0027 and \u0027ss_user_filter_list\u0027 files. This makes it possible for unauthenticated attackers to delete pending comments, and re-enable a previously blocked user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:15:28.106Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aefb192a-ed42-44a9-bbd1-5906909a419c?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/stop-spammer-registrations-plugin/trunk/settings/ss_option_maint.php#L73"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/stop-spammer-registrations-plugin/trunk/settings/ss_user_filter_list.php#L239"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/stop-spammer-registrations-plugin/trunk/settings/ss_user_filter_list.php#L447"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3377746%40stop-spammer-registrations-plugin\u0026new=3377746%40stop-spammer-registrations-plugin\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-06-05T17:43:52.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms \u003c= 2024.7 - Cross-Site Request Forgery to Multiple Administrative Actions"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-2935",
        "datePublished": "2025-06-06T06:42:53.165Z",
        "dateReserved": "2025-03-28T17:21:18.792Z",
        "dateUpdated": "2026-04-08T17:15:28.106Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-7065 (GCVE-0-2023-7065)

    Vulnerability from nvd – Published: 2024-05-04 07:36 – Updated: 2026-04-08 16:37
    VLAI
    Title
    Stop Spammers Security | Block Spam Users, Comments, Forms <= 2024.4 - Cross-Site Request Forgery (CSRF) via sfs_process
    Summary
    The Stop Spammers Security | Block Spam Users, Comments, Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2024.4. This is due to missing or incorrect nonce validation on the sfs_process AJAX action. This makes it possible for unauthenticated attackers to add arbitrary IPs to the plugin's allowlist and blocklist via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Vendor Product Version
    webguyio Stop Spammers Classic Affected: 0 , ≤ 2024.4 (semver)
    Create a notification for this product.
    Credits
    Lucio Sá
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-7065",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-15T16:00:43.878619Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:17:25.367Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:50:07.773Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1998cadb-2eb3-4819-aa7c-59e4f777c7f8?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3080581%40stop-spammer-registrations-plugin\u0026new=3080581%40stop-spammer-registrations-plugin\u0026sfp_email=\u0026sfph_mail="
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Stop Spammers Classic",
              "vendor": "webguyio",
              "versions": [
                {
                  "lessThanOrEqual": "2024.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Lucio S\u00e1"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Stop Spammers Security | Block Spam Users, Comments, Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2024.4. This is due to missing or incorrect nonce validation on the sfs_process AJAX action. This makes it possible for unauthenticated attackers to add arbitrary IPs to the plugin\u0027s allowlist and blocklist via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:37:54.013Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1998cadb-2eb3-4819-aa7c-59e4f777c7f8?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3080581%40stop-spammer-registrations-plugin\u0026new=3080581%40stop-spammer-registrations-plugin\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-05-03T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Stop Spammers Security | Block Spam Users, Comments, Forms \u003c= 2024.4 - Cross-Site Request Forgery (CSRF) via sfs_process"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2023-7065",
        "datePublished": "2024-05-04T07:36:21.368Z",
        "dateReserved": "2023-12-21T18:42:12.264Z",
        "dateUpdated": "2026-04-08T16:37:54.013Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-14795 (GCVE-0-2025-14795)

    Vulnerability from cvelistv5 – Published: 2026-01-28 13:26 – Updated: 2026-04-08 16:55
    VLAI
    Title
    Stop Spammers Classic <= 2026.1 - Cross-Site Request Forgery via Email Allowlist
    Summary
    The Stop Spammers Classic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2026.1. This is due to missing nonce validation in the ss_addtoallowlist class. This makes it possible for unauthenticated attackers to add arbitrary email addresses to the spam allowlist via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The vulnerability was partially patched in version 2026.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Vendor Product Version
    webguyio Stop Spammers Classic Affected: 0 , ≤ 2026.1 (semver)
    Create a notification for this product.
    Credits
    Stephanie Walters
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-14795",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-28T14:26:16.361442Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-28T14:28:44.994Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Stop Spammers Classic",
              "vendor": "webguyio",
              "versions": [
                {
                  "lessThanOrEqual": "2026.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Stephanie Walters"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Stop Spammers Classic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2026.1. This is due to missing nonce validation in the ss_addtoallowlist class. This makes it possible for unauthenticated attackers to add arbitrary email addresses to the spam allowlist via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The vulnerability was partially patched in version 2026.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:55:49.327Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5d6f38d7-a769-422d-ae3f-565cb1cc8a73?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/stop-spammer-registrations-plugin/tags/2025.4/classes/ss_addtoallowlist.php#L21"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3436357/"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3440788/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-01-27T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Stop Spammers Classic \u003c= 2026.1 - Cross-Site Request Forgery via Email Allowlist"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-14795",
        "datePublished": "2026-01-28T13:26:14.651Z",
        "dateReserved": "2025-12-16T18:04:36.930Z",
        "dateUpdated": "2026-04-08T16:55:49.327Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-2935 (GCVE-0-2025-2935)

    Vulnerability from cvelistv5 – Published: 2025-06-06 06:42 – Updated: 2026-04-08 17:15
    VLAI
    Title
    Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms <= 2024.7 - Cross-Site Request Forgery to Multiple Administrative Actions
    Summary
    The Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2024.7. This is due to missing or incorrect nonce validation in the 'ss_option_maint.php' and 'ss_user_filter_list' files. This makes it possible for unauthenticated attackers to delete pending comments, and re-enable a previously blocked user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Vendor Product Version
    webguyio Stop Spammers Classic Affected: 0 , ≤ 2024.7 (semver)
    Create a notification for this product.
    Credits
    Noah Stead
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2935",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-06T15:42:31.489460Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-06T16:08:45.282Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Stop Spammers Classic",
              "vendor": "webguyio",
              "versions": [
                {
                  "lessThanOrEqual": "2024.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Noah Stead"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2024.7. This is due to missing or incorrect nonce validation in the \u0027ss_option_maint.php\u0027 and \u0027ss_user_filter_list\u0027 files. This makes it possible for unauthenticated attackers to delete pending comments, and re-enable a previously blocked user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:15:28.106Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aefb192a-ed42-44a9-bbd1-5906909a419c?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/stop-spammer-registrations-plugin/trunk/settings/ss_option_maint.php#L73"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/stop-spammer-registrations-plugin/trunk/settings/ss_user_filter_list.php#L239"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/stop-spammer-registrations-plugin/trunk/settings/ss_user_filter_list.php#L447"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3377746%40stop-spammer-registrations-plugin\u0026new=3377746%40stop-spammer-registrations-plugin\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-06-05T17:43:52.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms \u003c= 2024.7 - Cross-Site Request Forgery to Multiple Administrative Actions"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-2935",
        "datePublished": "2025-06-06T06:42:53.165Z",
        "dateReserved": "2025-03-28T17:21:18.792Z",
        "dateUpdated": "2026-04-08T17:15:28.106Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-7065 (GCVE-0-2023-7065)

    Vulnerability from cvelistv5 – Published: 2024-05-04 07:36 – Updated: 2026-04-08 16:37
    VLAI
    Title
    Stop Spammers Security | Block Spam Users, Comments, Forms <= 2024.4 - Cross-Site Request Forgery (CSRF) via sfs_process
    Summary
    The Stop Spammers Security | Block Spam Users, Comments, Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2024.4. This is due to missing or incorrect nonce validation on the sfs_process AJAX action. This makes it possible for unauthenticated attackers to add arbitrary IPs to the plugin's allowlist and blocklist via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Vendor Product Version
    webguyio Stop Spammers Classic Affected: 0 , ≤ 2024.4 (semver)
    Create a notification for this product.
    Credits
    Lucio Sá
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-7065",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-15T16:00:43.878619Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:17:25.367Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:50:07.773Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1998cadb-2eb3-4819-aa7c-59e4f777c7f8?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3080581%40stop-spammer-registrations-plugin\u0026new=3080581%40stop-spammer-registrations-plugin\u0026sfp_email=\u0026sfph_mail="
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Stop Spammers Classic",
              "vendor": "webguyio",
              "versions": [
                {
                  "lessThanOrEqual": "2024.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Lucio S\u00e1"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Stop Spammers Security | Block Spam Users, Comments, Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2024.4. This is due to missing or incorrect nonce validation on the sfs_process AJAX action. This makes it possible for unauthenticated attackers to add arbitrary IPs to the plugin\u0027s allowlist and blocklist via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:37:54.013Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1998cadb-2eb3-4819-aa7c-59e4f777c7f8?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3080581%40stop-spammer-registrations-plugin\u0026new=3080581%40stop-spammer-registrations-plugin\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-05-03T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Stop Spammers Security | Block Spam Users, Comments, Forms \u003c= 2024.4 - Cross-Site Request Forgery (CSRF) via sfs_process"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2023-7065",
        "datePublished": "2024-05-04T07:36:21.368Z",
        "dateReserved": "2023-12-21T18:42:12.264Z",
        "dateUpdated": "2026-04-08T16:37:54.013Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }