Plattform
wordpress
Komponente
stopwords-for-comments
Behoben in
1.1.1
CVE-2025-15376 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Stopwords for comments plugin for WordPress. This flaw allows unauthenticated attackers to manipulate stopwords, potentially impacting comment filtering and site functionality. The vulnerability impacts versions 0.0.0 through 1.1. A fix is expected in a future plugin release.
An attacker could exploit this CSRF vulnerability to add or delete stopwords without authentication, effectively bypassing any intended comment filtering mechanisms. This could lead to an influx of unwanted comments, spam, or malicious content. The impact is amplified if the site administrator is tricked into clicking a malicious link, automatically executing the forged request. While the vulnerability doesn't directly lead to data exfiltration or system compromise, it can degrade the user experience and potentially be a stepping stone for further attacks if the stopwords influence other site behaviors.
This CVE was publicly disclosed on 2026-01-14. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability's severity is considered medium. It is not currently listed on the CISA KEV catalog.
WordPress sites utilizing the Stopwords for comments plugin, particularly those with shared hosting environments where plugin updates may be delayed, are at risk. Sites with less stringent administrator access controls are also more vulnerable to exploitation.
• wordpress / composer / npm:
grep -r 'set_stopwords_for_comments' /var/www/html/wp-content/plugins/stopwords-for-comments/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=set_stopwords_for_comments | grep -i '200 ok'disclosure
Exploit-Status
EPSS
0.02% (4% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade to a patched version of the Stopwords for comments plugin once available. Until a patch is released, consider implementing a Web Application Firewall (WAF) rule to filter requests to the 'setstopwordsforcomments' and 'deletestopwordsforcomments' endpoints, requiring valid CSRF tokens. Additionally, restrict access to the plugin's configuration pages to authorized administrators only. Regularly review WordPress plugin configurations for potential vulnerabilities.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Vulnerability eingehend und setzen Sie Schutzmaßnahmen basierend auf der Risikobereitschaft Ihrer Organisation um. Es kann am besten sein, die betroffene Software zu deinstallieren und eine Alternative zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-15376 is a Cross-Site Request Forgery vulnerability in the Stopwords for comments WordPress plugin, allowing attackers to manipulate stopwords via forged requests.
If you are using the Stopwords for comments plugin in WordPress versions 0.0.0 through 1.1, you are potentially affected by this vulnerability.
Upgrade to a patched version of the Stopwords for comments plugin as soon as it becomes available. Until then, implement WAF rules or restrict administrator access.
There are currently no confirmed reports of active exploitation of CVE-2025-15376, but it is important to mitigate the vulnerability proactively.
Refer to the plugin developer's website or the WordPress plugin repository for updates and advisories regarding CVE-2025-15376.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.