Platform
wordpress
Component
stopwords-for-comments
Fixed in
1.1.1
CVE-2025-15376 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Stopwords for comments plugin for WordPress. This flaw allows unauthenticated attackers to manipulate stopwords, potentially impacting comment filtering and site functionality. The vulnerability impacts versions 0.0.0 through 1.1. A fix is expected in a future plugin release.
An attacker could exploit this CSRF vulnerability to add or delete stopwords without authentication, effectively bypassing any intended comment filtering mechanisms. This could lead to an influx of unwanted comments, spam, or malicious content. The impact is amplified if the site administrator is tricked into clicking a malicious link, automatically executing the forged request. While the vulnerability doesn't directly lead to data exfiltration or system compromise, it can degrade the user experience and potentially be a stepping stone for further attacks if the stopwords influence other site behaviors.
This CVE was publicly disclosed on 2026-01-14. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability's severity is considered medium. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to a patched version of the Stopwords for comments plugin once available. Until a patch is released, consider implementing a Web Application Firewall (WAF) rule to filter requests to the 'setstopwordsforcomments' and 'deletestopwordsforcomments' endpoints, requiring valid CSRF tokens. Additionally, restrict access to the plugin's configuration pages to authorized administrators only. Regularly review WordPress plugin configurations for potential vulnerabilities.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-15376 is a Cross-Site Request Forgery vulnerability in the Stopwords for comments WordPress plugin, allowing attackers to manipulate stopwords via forged requests.
If you are using the Stopwords for comments plugin in WordPress versions 0.0.0 through 1.1, you are potentially affected by this vulnerability.
Upgrade to a patched version of the Stopwords for comments plugin as soon as it becomes available. Until then, implement WAF rules or restrict administrator access.
There are currently no confirmed reports of active exploitation of CVE-2025-15376, but it is important to mitigate the vulnerability proactively.
Refer to the plugin developer's website or the WordPress plugin repository for updates and advisories regarding CVE-2025-15376.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.