Vulnerabilities and security researches forstop-spammer-registrations-plugin stop-spammer-registrations-plugin

Feb 27, 2026

CVE, Research URL: CVE-2025-14795
Home page URL: Security reports for Stop Spammers Security | Block Spam Users, Comments, Forms
Application: Stop Spammers Security | Block Spam Users, Comments, Forms
Date: Jan 28, 2026
Research Description: The Stop Spammers Classic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2026.1. This is due to missing nonce validation in the ss_addtoallowlist class. This makes it possible for unauthenticated attackers to add arbitrary email addresses to the spam allowlist via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The vulnerability was partially patched in version 2026.1.
Affected versions: max 2026.2.
Status: vulnerable

Jun 15, 2025

CVE, Research URL: CVE-2025-2935
Home page URL: Security reports for Stop Spammers Security | Block Spam Users, Comments, Forms
Application: Stop Spammers Security | Block Spam Users, Comments, Forms
Date: Jun 06, 2025
Research Description: The Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2024.7. This is due to missing or incorrect nonce validation in the 'ss_option_maint.php' and 'ss_user_filter_list' files. This makes it possible for unauthenticated attackers to delete pending comments, and re-enable a previously blocked user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 2024.7.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: CVE-2023-2488
Home page URL: Security reports for Stop Spammers Security | Block Spam Users, Comments, Forms
Application: Stop Spammers Security | Block Spam Users, Comments, Forms
Date: Jun 05, 2023
Research Description: The Stop Spammers Security | Block Spam Users, Comments, Forms WordPress plugin before 2023 does not sanitise and escape various parameters before outputting them back in admin dashboard pages, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Affected versions: max 2023.
Status: vulnerable

CVE, Research URL: CVE-2021-24517
Home page URL: Security reports for Stop Spammers Security | Block Spam Users, Comments, Forms
Application: Stop Spammers Security | Block Spam Users, Comments, Forms
Date: Sep 06, 2021
Research Description: The Stop Spammers Security | Block Spam Users, Comments, Forms WordPress plugin before 2021.18 does not escape some of its settings, allowing high privilege users such as admin to set Cross-Site Scripting payloads in them even when the unfiltered_html capability is disallowed
Affected versions: max 2021.18.
Status: vulnerable

CVE, Research URL: CVE-2021-24245
Home page URL: Security reports for Stop Spammers Security | Block Spam Users, Comments, Forms
Application: Stop Spammers Security | Block Spam Users, Comments, Forms
Date: May 06, 2021
Research Description: The Stop Spammers WordPress plugin before 2021.9 did not escape user input when blocking requests (such as matching a spam word), outputting it in an attribute after sanitising it to remove HTML tags, which is not sufficient and lead to a reflected Cross-Site Scripting issue.
Affected versions: max 2021.9.
Status: vulnerable

CVE, Research URL: CVE-2023-2489
Home page URL: Security reports for Stop Spammers Security | Block Spam Users, Comments, Forms
Application: Stop Spammers Security | Block Spam Users, Comments, Forms
Date: Jun 05, 2023
Research Description: The Stop Spammers Security | Block Spam Users, Comments, Forms WordPress plugin before 2023 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Affected versions: max 2023.
Status: vulnerable

CVE, Research URL: CVE-2023-7065
Home page URL: Security reports for Stop Spammers Security | Block Spam Users, Comments, Forms
Application: Stop Spammers Security | Block Spam Users, Comments, Forms
Date: May 04, 2024
Research Description: The Stop Spammers Security | Block Spam Users, Comments, Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2024.4. This is due to missing or incorrect nonce validation on the sfs_process AJAX action. This makes it possible for unauthenticated attackers to add arbitrary IPs to the plugin's allowlist and blocklist via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 2024.5.
Status: vulnerable

CVE, Research URL: CVE-2022-4120
Home page URL: Security reports for Stop Spammers Security | Block Spam Users, Comments, Forms
Application: Stop Spammers Security | Block Spam Users, Comments, Forms
Date: Dec 26, 2022
Research Description: The Stop Spammers Security | Block Spam Users, Comments, Forms WordPress plugin before 2022.6 passes base64 encoded user input to the unserialize() PHP function when CAPTCHA are used as second challenge, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain
Affected versions: max 2022.6.
Status: vulnerable