{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2112", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-06T14:33:43.570Z", "datePublished": "2026-02-18T07:25:42.068Z", "dateUpdated": "2026-04-08T17:29:22.014Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:22.014Z"}, "affected": [{"vendor": "webguyio", "product": "Dam Spam", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Dam Spam plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8. This is due to missing nonce verification on the pending comment deletion action in the cleanup page. This makes it possible for unauthenticated attackers to delete all pending comments via a forged request granted they can trick an admin into performing an action such as clicking on a link."}], "title": "Dam Spam <= 1.0.8 - Cross-Site Request Forgery to Arbitrary Pending Comment Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e336dc27-4a76-4197-929c-b221f42bfe69?source=cve"}, {"url": "https://github.com/webguyio/dam-spam/blob/52e12fb455e7b670af2e0713f9da84d2d1d309ac/settings/cleanup.php#L92"}, {"url": "https://plugins.trac.wordpress.org/browser/dam-spam/trunk/settings/cleanup.php#L92"}, {"url": "https://plugins.trac.wordpress.org/browser/dam-spam/tags/1.0.6/settings/cleanup.php#L92"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3457369%40dam-spam&new=3457369%40dam-spam&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Duong Quang Hao"}], "timeline": [{"time": "2026-02-17T19:02:21.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T12:24:59.016209Z", "id": "CVE-2026-2112", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T12:51:56.413Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2112", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-18T12:24:59.016209Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T12:25:00.233Z"}}], "cna": {"title": "Dam Spam <= 1.0.8 - Cross-Site Request Forgery to Arbitrary Pending Comment Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Duong Quang Hao"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "webguyio", "product": "Dam Spam", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-17T19:02:21.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e336dc27-4a76-4197-929c-b221f42bfe69?source=cve"}, {"url": "https://github.com/webguyio/dam-spam/blob/52e12fb455e7b670af2e0713f9da84d2d1d309ac/settings/cleanup.php#L92"}, {"url": "https://plugins.trac.wordpress.org/browser/dam-spam/trunk/settings/cleanup.php#L92"}, {"url": "https://plugins.trac.wordpress.org/browser/dam-spam/tags/1.0.6/settings/cleanup.php#L92"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3457369%40dam-spam&new=3457369%40dam-spam&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Dam Spam plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8. This is due to missing nonce verification on the pending comment deletion action in the cleanup page. This makes it possible for unauthenticated attackers to delete all pending comments via a forged request granted they can trick an admin into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:22.014Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2112", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:29:22.014Z", "dateReserved": "2026-02-06T14:33:43.570Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-18T07:25:42.068Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Dam Spam plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8. This is due to missing nonce verification on the pending comment deletion action in the cleanup page. This makes it possible for unauthenticated attackers to delete all pending comments via a forged request granted they can trick an admin into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin Dam Spam para WordPress es vulnerable a falsificaci\u00f3n de petici\u00f3n en sitios cruzados en todas las versiones hasta la 1.0.8, inclusive. Esto se debe a la falta de verificaci\u00f3n de nonce en la acci\u00f3n de eliminaci\u00f3n de comentarios pendientes en la p\u00e1gina de limpieza. Esto hace posible que atacantes no autenticados eliminen todos los comentarios pendientes mediante una petici\u00f3n falsificada, siempre que puedan enga\u00f1ar a un administrador para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2026-2112", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-18T08:16:15.637", "references": [{"source": "security@wordfence.com", "url": "https://github.com/webguyio/dam-spam/blob/52e12fb455e7b670af2e0713f9da84d2d1d309ac/settings/cleanup.php#L92"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/dam-spam/tags/1.0.6/settings/cleanup.php#L92"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/dam-spam/trunk/settings/cleanup.php#L92"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3457369%40dam-spam&new=3457369%40dam-spam&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e336dc27-4a76-4197-929c-b221f42bfe69?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Dam Spam", "source": "cna", "vendor": "webguyio"}, "product": "dam_spam", "vendor": "webguyio"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T17:06:38.239880+00:00", "value": {"mitigation_remediation": ["Upgrade the Dam Spam plugin to a version newer than 1.0.8.", "If an upgrade is not possible, edit the cleanup.php file to require nonce verification or disable the pending comment deletion action entirely.", "Limit access to the cleanup page to trusted administrators and educate them about avoiding suspicious links and understanding CSRF risks."], "summary": {"action": "Update Plugin", "impact": "Unauthorized deletion of pending comments via CSRF"}, "threat_synthesis": {"affected_systems": "All installations of the webguyio Dam Spam WordPress plugin with a version of 1.0.8 or earlier are affected. The vulnerability is present in every release up to and including 1.0.8 and can be exploited in any WordPress environment that uses the plugin without additional CSRF safeguards.", "description_and_impact": "The Dam Spam plugin for WordPress is vulnerable to Cross\u2011Site Request Forgery because the pending comment deletion action on the cleanup page lacks nonce verification. An unauthenticated attacker can trick an administrator into clicking a crafted link, causing all pending comments to be deleted. This results in loss of moderation data and disrupts site content integrity. The CVSS score of 4.3 reflects a moderate risk level for this type of data loss attack.", "risk_and_exploitability": "The EPSS score is below 1%, indicating a low probability of exploitation under current conditions, and the issue is not listed in the CISA KEV catalog. The most likely attack vector is a social\u2011engineering attempt that lures an administrator into visiting a maliciously crafted URL. The absence of nonce checks allows the forged request to be processed without authentication, making the exploit straightforward once the admin acts."}}}}, "created": "2026-02-18T10:32:26.209714+00:00", "updated": "2026-04-15T17:30:10.435767+00:00", "vendors": ["webguyio", "webguyio$PRODUCT$dam_spam", "wordpress", "wordpress$PRODUCT$wordpress"]}