Platform
wordpress
Component
stop-spammer-registrations-plugin
Opgelost in
2026.1.1
CVE-2025-14795 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Stop Spammers Classic plugin for WordPress. This flaw allows unauthenticated attackers to manipulate the plugin's functionality, specifically adding email addresses to the spam allowlist. The vulnerability impacts versions from 0.0.0 up to and including 2026.1, but has been partially addressed in version 2026.1, with a full fix available in version 2026.2.
The primary impact of this CSRF vulnerability is the ability for an attacker to bypass the intended security controls of the Stop Spammers Classic plugin. By crafting a malicious link and tricking a WordPress administrator into clicking it, an attacker can silently add arbitrary email addresses to the plugin's spam allowlist. This effectively grants those email addresses bypass from spam filtering, potentially enabling attackers to send unsolicited emails or perform other malicious activities. The blast radius is limited to the affected WordPress site and its users, but the impact can be significant if the attacker can leverage the bypassed spam filtering for further attacks.
This vulnerability was publicly disclosed on January 28, 2026. There is currently no indication of active exploitation campaigns targeting this specific vulnerability. No public proof-of-concept (PoC) code has been released as of the disclosure date. The vulnerability is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the Stop Spammers Classic plugin, particularly those with administrative users who are susceptible to social engineering attacks, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise on one site could potentially impact others.
• wordpress / composer / npm:
grep -r 'ss_addtoallowlist' /var/www/html/wp-content/plugins/stop-spammers-classic/• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'stop-spammers-classic'• wordpress / composer / npm:
curl -I https://example.com/wp-content/plugins/stop-spammers-classic/ | grep -i 'stop-spammers-classic'disclosure
Exploit Status
EPSS
0.01% (0% percentiel)
CISA SSVC
CVSS-vector
The recommended mitigation for CVE-2025-14795 is to immediately upgrade the Stop Spammers Classic plugin to version 2026.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out requests that lack proper nonce validation for the ss_addtoallowlist function. Additionally, review WordPress user permissions and restrict administrative access to only authorized personnel to minimize the risk of successful CSRF attacks. After upgrading, confirm the fix by attempting to trigger the allowlist addition functionality via a crafted request and verifying that it is blocked.
Update naar versie 2026.2, of een nieuwere gepatchte versie
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-14795 is a Cross-Site Request Forgery (CSRF) vulnerability in the Stop Spammers Classic WordPress plugin, allowing attackers to add email addresses to the spam allowlist without authentication.
You are affected if you are using Stop Spammers Classic plugin versions 0.0.0 through 2026.1. Upgrade to 2026.2 or later to mitigate the risk.
Upgrade the Stop Spammers Classic plugin to version 2026.2 or later. As a temporary workaround, implement a WAF rule to validate nonce usage.
There is currently no evidence of active exploitation campaigns targeting CVE-2025-14795.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.