Stop Spammers Classic <= 2026.1 - Cross-Site Request Forgery via Email Allowlist
Plataforma
wordpress
Componente
stop-spammer-registrations-plugin
Corrigido em
2026.1.1
CVE-2025-14795 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Stop Spammers Classic plugin for WordPress. This flaw allows unauthenticated attackers to manipulate the plugin's functionality, specifically adding email addresses to the spam allowlist. The vulnerability impacts versions from 0.0.0 up to and including 2026.1, but has been partially addressed in version 2026.1, with a full fix available in version 2026.2.
Detecte esta CVE no seu projeto
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Impacto e Cenários de Ataquetraduzindo…
The primary impact of this CSRF vulnerability is the ability for an attacker to bypass the intended security controls of the Stop Spammers Classic plugin. By crafting a malicious link and tricking a WordPress administrator into clicking it, an attacker can silently add arbitrary email addresses to the plugin's spam allowlist. This effectively grants those email addresses bypass from spam filtering, potentially enabling attackers to send unsolicited emails or perform other malicious activities. The blast radius is limited to the affected WordPress site and its users, but the impact can be significant if the attacker can leverage the bypassed spam filtering for further attacks.
Contexto de Exploraçãotraduzindo…
This vulnerability was publicly disclosed on January 28, 2026. There is currently no indication of active exploitation campaigns targeting this specific vulnerability. No public proof-of-concept (PoC) code has been released as of the disclosure date. The vulnerability is not currently listed on the CISA KEV catalog.
Quem Está em Riscotraduzindo…
WordPress websites utilizing the Stop Spammers Classic plugin, particularly those with administrative users who are susceptible to social engineering attacks, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise on one site could potentially impact others.
Passos de Detecçãotraduzindo…
• wordpress / composer / npm:
grep -r 'ss_addtoallowlist' /var/www/html/wp-content/plugins/stop-spammers-classic/• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'stop-spammers-classic'• wordpress / composer / npm:
curl -I https://example.com/wp-content/plugins/stop-spammers-classic/ | grep -i 'stop-spammers-classic'Linha do Tempo do Ataque
- Disclosure
disclosure
Inteligência de Ameaças
Status do Exploit
EPSS
0.01% (percentil 0%)
CISA SSVC
Vetor CVSS
O que significam essas métricas?
- Attack Vector
- Rede — explorável remotamente pela internet. Sem acesso físico ou local necessário.
- Attack Complexity
- Baixa — sem condições especiais. O atacante pode explorar de forma confiável.
- Privileges Required
- Nenhum — sem autenticação necessária para explorar.
- User Interaction
- Necessária — a vítima deve abrir um arquivo, clicar em um link ou visitar uma página.
- Scope
- Inalterado — impacto limitado ao componente vulnerável.
- Confidentiality
- Nenhum — sem impacto na confidencialidade.
- Integrity
- Baixo — o atacante pode modificar alguns dados com alcance limitado.
- Availability
- Nenhum — sem impacto na disponibilidade.
Software Afetado
Informações do pacote
- Instalações ativas
- 30KConhecido
- Avaliação do plugin
- 4.4
- Requer WordPress
- 3.0+
- Compatível até
- 7.0
- Requer PHP
- 5.0+
Classificação de Fraqueza (CWE)
Linha do tempo
- Reservado
- Publicada
- Modificada
- EPSS atualizado
Mitigação e Soluções Alternativastraduzindo…
The recommended mitigation for CVE-2025-14795 is to immediately upgrade the Stop Spammers Classic plugin to version 2026.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out requests that lack proper nonce validation for the ss_addtoallowlist function. Additionally, review WordPress user permissions and restrict administrative access to only authorized personnel to minimize the risk of successful CSRF attacks. After upgrading, confirm the fix by attempting to trigger the allowlist addition functionality via a crafted request and verifying that it is blocked.
Como corrigir
Atualize para a versão 2026.2, ou uma versão corrigida mais recente
Boletim de Segurança CVE
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
Perguntas frequentestraduzindo…
What is CVE-2025-14795 — CSRF in Stop Spammers Classic?
CVE-2025-14795 is a Cross-Site Request Forgery (CSRF) vulnerability in the Stop Spammers Classic WordPress plugin, allowing attackers to add email addresses to the spam allowlist without authentication.
Am I affected by CVE-2025-14795 in Stop Spammers Classic?
You are affected if you are using Stop Spammers Classic plugin versions 0.0.0 through 2026.1. Upgrade to 2026.2 or later to mitigate the risk.
How do I fix CVE-2025-14795 in Stop Spammers Classic?
Upgrade the Stop Spammers Classic plugin to version 2026.2 or later. As a temporary workaround, implement a WAF rule to validate nonce usage.
Is CVE-2025-14795 being actively exploited?
There is currently no evidence of active exploitation campaigns targeting CVE-2025-14795.
Where can I find the official Stop Spammers Classic advisory for CVE-2025-14795?
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Seu projeto está afetado?
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.