{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14795", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-16T18:04:36.930Z", "datePublished": "2026-01-28T13:26:14.651Z", "dateUpdated": "2026-04-08T16:55:49.327Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:55:49.327Z"}, "affected": [{"vendor": "webguyio", "product": "Stop Spammers Classic", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2026.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Stop Spammers Classic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2026.1. This is due to missing nonce validation in the ss_addtoallowlist class. This makes it possible for unauthenticated attackers to add arbitrary email addresses to the spam allowlist via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The vulnerability was partially patched in version 2026.1."}], "title": "Stop Spammers Classic <= 2026.1 - Cross-Site Request Forgery via Email Allowlist", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5d6f38d7-a769-422d-ae3f-565cb1cc8a73?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/stop-spammer-registrations-plugin/tags/2025.4/classes/ss_addtoallowlist.php#L21"}, {"url": "https://plugins.trac.wordpress.org/changeset/3436357/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3440788/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Stephanie Walters"}], "timeline": [{"time": "2026-01-27T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T14:26:16.361442Z", "id": "CVE-2025-14795", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T14:28:44.994Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14795", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-28T14:26:16.361442Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T14:28:38.521Z"}}], "cna": {"title": "Stop Spammers Classic <= 2026.1 - Cross-Site Request Forgery via Email Allowlist", "credits": [{"lang": "en", "type": "finder", "value": "Stephanie Walters"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "webguyio", "product": "Stop Spammers Classic", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2026.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-27T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5d6f38d7-a769-422d-ae3f-565cb1cc8a73?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/stop-spammer-registrations-plugin/tags/2025.4/classes/ss_addtoallowlist.php#L21"}, {"url": "https://plugins.trac.wordpress.org/changeset/3436357/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3440788/"}], "descriptions": [{"lang": "en", "value": "The Stop Spammers Classic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2026.1. This is due to missing nonce validation in the ss_addtoallowlist class. This makes it possible for unauthenticated attackers to add arbitrary email addresses to the spam allowlist via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The vulnerability was partially patched in version 2026.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:55:49.327Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14795", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:55:49.327Z", "dateReserved": "2025-12-16T18:04:36.930Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-28T13:26:14.651Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Stop Spammers Classic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2026.1. This is due to missing nonce validation in the ss_addtoallowlist class. This makes it possible for unauthenticated attackers to add arbitrary email addresses to the spam allowlist via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The vulnerability was partially patched in version 2026.1."}, {"lang": "es", "value": "El plugin Stop Spammers Classic para WordPress es vulnerable a la falsificaci\u00f3n de petici\u00f3n en sitios cruzados en todas las versiones hasta, e incluyendo, la 2026.1. Esto se debe a la falta de validaci\u00f3n de nonce en la clase ss_addtoallowlist. Esto hace posible que atacantes no autenticados a\u00f1adan direcciones de correo electr\u00f3nico arbitrarias a la lista de permitidos de correo no deseado a trav\u00e9s de una petici\u00f3n falsificada siempre que puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace. La vulnerabilidad fue parcialmente parcheada en la versi\u00f3n 2026.1."}], "id": "CVE-2025-14795", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-28T14:16:02.473", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/stop-spammer-registrations-plugin/tags/2025.4/classes/ss_addtoallowlist.php#L21"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3436357/"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3440788/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5d6f38d7-a769-422d-ae3f-565cb1cc8a73?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T16:07:55.788348+00:00", "value": {"mitigation_remediation": ["Upgrade the Stop Spammers Classic plugin to version 2026.1 or later to apply the official fix for the missing nonce validation", "Verify that the plugin\u2019s settings enforce CSRF protection by confirming the presence of nonces on allowlist modification forms", "If upgrading is not immediately possible, restrict access to the allowlist modification endpoint so that only trusted administrators can reach it, or temporarily disable the allowlist feature until a patch is applied"], "summary": {"action": "Patch", "impact": "Moderate impact due to CSRF that allows unauthenticated attackers to add arbitrary email addresses to the plugin\u2019s allowlist"}, "threat_synthesis": {"affected_systems": "WordPress sites running the webguyio Stop Spammers Classic plugin, versions up to and inclusive of 2026.1. Any deployment of these versions should be considered at risk until updated.", "description_and_impact": "The Stop Spammers Classic WordPress plugin contains a Cross\u2011Site Request Forgery flaw caused by omitted nonce validation in the ss_addtoallowlist class. This flaw enables an attacker to forge a request that adds an email address to the spam allowlist. An attacker normally needs only a simple link to trick a site administrator into clicking and executing the request, but no authentication is required. The result is that unwanted email addresses can be whitelisted, potentially letting spammers bypass the plugin\u2019s filtering logic and undermining the spam protection provided by the site. While this does not directly leak sensitive data or allow code execution, it erodes the integrity of the spam filtering process.", "risk_and_exploitability": "The vulnerability is rated CVSS 4.3, indicating moderate severity. The EPSS score is less than 1%, suggesting that exploitation is relatively rare at present. It is not listed in the CISA KEV catalog. The attack path is straightforward: an unauthenticated web request made by a victim (e.g., a site administrator) that includes the necessary parameters to add an email address to the allowlist. Because the flaw is limited to the lack of nonce validation, exploitation requires no additional privileges beyond the administrator\u2019s existing access level. The overall risk is therefore moderate, but the impact on spam prevention could be significant if an attacker successfully populates the allowlist with malicious addresses."}}}}, "created": "2026-01-29T09:17:53.045983+00:00", "updated": "2026-04-21T16:15:40.501099+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}