cleantalk
Vulnerabilities and Security Researches

OOPSpam Anti-Spam, CVE-2025-12094

CVE, Research URL

CVE-2025-12094

Home page URL

Security reports for OOPSpam Anti-Spam

Application

OOPSpam Anti-Spam

Published on
Oct 31, 2025
Research Description
The OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) plugin for WordPress is vulnerable to IP Header Spoofing in all versions up to, and including, 1.2.53. This is due to the plugin trusting client-controlled forwarded headers (such as CF-Connecting-IP, X-Forwarded-For, and others) without verifying that those headers originate from legitimate, trusted proxies. This makes it possible for unauthenticated attackers to spoof their IP address and bypass IP-based security controls, including blocked IP lists and rate limiting protections, by sending arbitrary HTTP headers with their requests.
Affected versions
max 1.2.54.
Status
vulnerable
Previous vulnerability researches
ACF to REST API (CVE-2025-62979) , Nov 10, 2025
ACF to REST API (CVE-2020-13700) , Jun 07, 2024
New vulnerability
Theme Editor (CVE-2025-9890) , Nov 10, 2025
wpForo Forum (CVE-2025-4203) , Nov 10, 2025
wpForo Forum (CVE-2025-11740) , Nov 10, 2025
Estatik Real Estate Plugin (CVE-2025-62963) , Nov 10, 2025
Interactive Content – H5P (CVE-2025-62951) , Nov 10, 2025