CVE-2025-14795
CSRF in Stop Spammers Classic Plugin Allows Spamlist Manipulation
Publication date: 2026-01-28
Last updated on: 2026-01-28
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| stop_spammers | classic | to 2026.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the Stop Spammers Classic plugin for WordPress, affecting all versions up to and including 2026.1. It occurs because the plugin's ss_addtoallowlist class lacks nonce validation, allowing unauthenticated attackers to add arbitrary email addresses to the spam allowlist by tricking a site administrator into performing an action, such as clicking a malicious link.
How can this vulnerability impact me? :
An attacker can exploit this vulnerability to add arbitrary email addresses to the spam allowlist without authentication. This could allow spam or malicious emails to bypass spam filters, potentially leading to increased spam, phishing attempts, or other unwanted communications reaching users or administrators.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the Stop Spammers Classic plugin to a version later than 2026.1 where the partial patch has been applied. Additionally, avoid clicking on suspicious links and ensure that site administrators are aware of the risk of Cross-Site Request Forgery attacks.