{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12094", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-22T19:21:34.626Z", "datePublished": "2025-10-31T08:25:55.153Z", "dateUpdated": "2026-04-08T17:17:07.369Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:07.369Z"}, "affected": [{"vendor": "oopspam", "product": "OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA)", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.53", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) plugin for WordPress is vulnerable to IP Header Spoofing in all versions up to, and including, 1.2.53. This is due to the plugin trusting client-controlled forwarded headers (such as CF-Connecting-IP, X-Forwarded-For, and others) without verifying that those headers originate from legitimate, trusted proxies. This makes it possible for unauthenticated attackers to spoof their IP address and bypass IP-based security controls, including blocked IP lists and rate limiting protections, by sending arbitrary HTTP headers with their requests."}], "title": "OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) <= 1.2.53 - Unauthenticated IP Header Spoofing", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b5137bc2-912b-4e25-966e-515e8d9fc21c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/oopspam-anti-spam/tags/1.2.49/include/helpers.php#L268"}, {"url": "https://plugins.trac.wordpress.org/changeset/3386104/oopspam-anti-spam/trunk/include/helpers.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-693 Protection Mechanism Failure", "cweId": "CWE-693", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-10-22T20:24:32.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-30T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-31T14:18:29.830236Z", "id": "CVE-2025-12094", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-31T14:18:40.788Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12094", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-31T14:18:29.830236Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-31T14:18:35.345Z"}}], "cna": {"title": "OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) <= 1.2.53 - Unauthenticated IP Header Spoofing", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "oopspam", "product": "OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA)", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.2.53"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-22T20:24:32.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-30T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b5137bc2-912b-4e25-966e-515e8d9fc21c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/oopspam-anti-spam/tags/1.2.49/include/helpers.php#L268"}, {"url": "https://plugins.trac.wordpress.org/changeset/3386104/oopspam-anti-spam/trunk/include/helpers.php"}], "descriptions": [{"lang": "en", "value": "The OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) plugin for WordPress is vulnerable to IP Header Spoofing in all versions up to, and including, 1.2.53. This is due to the plugin trusting client-controlled forwarded headers (such as CF-Connecting-IP, X-Forwarded-For, and others) without verifying that those headers originate from legitimate, trusted proxies. This makes it possible for unauthenticated attackers to spoof their IP address and bypass IP-based security controls, including blocked IP lists and rate limiting protections, by sending arbitrary HTTP headers with their requests."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-693", "description": "CWE-693 Protection Mechanism Failure"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-10-31T08:25:55.153Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12094", "state": "PUBLISHED", "dateUpdated": "2025-10-31T14:18:40.788Z", "dateReserved": "2025-10-22T19:21:34.626Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-31T08:25:55.153Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) plugin for WordPress is vulnerable to IP Header Spoofing in all versions up to, and including, 1.2.53. This is due to the plugin trusting client-controlled forwarded headers (such as CF-Connecting-IP, X-Forwarded-For, and others) without verifying that those headers originate from legitimate, trusted proxies. This makes it possible for unauthenticated attackers to spoof their IP address and bypass IP-based security controls, including blocked IP lists and rate limiting protections, by sending arbitrary HTTP headers with their requests."}], "id": "CVE-2025-12094", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-31T09:15:46.050", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/oopspam-anti-spam/tags/1.2.49/include/helpers.php#L268"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3386104/oopspam-anti-spam/trunk/include/helpers.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b5137bc2-912b-4e25-966e-515e8d9fc21c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-693"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:59:55.030636+00:00", "value": {"mitigation_remediation": ["Upgrade the OOPSpam plugin to a version later than 1.2.53, which removes the acceptance of unverified forwarded headers.", "Configure the web server (Apache, Nginx, etc.) to strip or ignore forwarded headers unless the request originates from a known, trusted reverse proxy.", "Limit the use of IP\u2011based controls in the application until the plugin update has been applied, and review any custom security rules that may rely on header values."], "summary": {"action": "Patch Upgrade", "impact": "Bypass IP-based restrictions via header spoofing"}, "threat_synthesis": {"affected_systems": "The affected software is the OOPSpam Anti-Spam plugin named \"Spam Protection for WordPress Forms & Comments (No CAPTCHA)\". All installed versions through 1.2.53 are vulnerable; newer releases are presumed fixed.", "description_and_impact": "The OOPSpam Anti\u2011Spam plugin for WordPress is vulnerable to IP header spoofing in all releases up to 1.2.53. The code trusts client\u2011controlled forwarded headers such as CF\u2011Connecting\u2011IP and X\u2011Forwarded\u2011For without confirming that they originate from trusted proxies. An attacker who can send arbitrary HTTP headers can therefore change the apparent source address of a request. This flaw enables unauthenticated users to bypass IP\u2011based defenses, including blacklists and rate\u2011limiting, and could be used to flood forms or comments from whitelisted IP ranges, ignoring security controls that rely on IP reputation.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity, while the EPSS score of less than 1% suggests a low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog, further indicating limited exploitation activity. Attackers can exploit the flaw remotely by modifying outbound HTTP headers on any client connected to the WordPress site, provided the server accepts forwarded headers without validation. Because the attack requires no authentication and the input is untrusted, the risk is primarily to the integrity of IP\u2011based control mechanisms rather than to system compromise."}}}}, "created": "2025-11-03T10:45:03.039678+00:00", "updated": "2026-04-21T02:00:12.334502+00:00", "vendors": ["oopspam", "oopspam$PRODUCT$oopspam_anti-spam", "wordpress", "wordpress$PRODUCT$wordpress"]}