Stop Spammers Classic WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Stop Spammers Classic plugin for WordPress, affecting all versions through 2026.1. The issue arises from inadequate nonce validation in the 'ss_addtoallowlist' class, allowing unauthenticated attackers to add arbitrary email addresses to the spam allowlist. Exploitation requires tricking a site administrator into clicking a link that initiates the forged request.

Impact

Exploitation of this vulnerability allows for Cross-Site Request Forgery, where an attacker can manipulate a user's actions without their consent, in this case, by adding emails to the allowlist.

Reproduction

To reproduce this vulnerability, an attacker must send a forged request to the WordPress site, impersonating a user with administrative privileges. This can be done by including the email to be added in the request and bypassing the nonce verification, which is missing in the targeted function. The request must be crafted to exploit the CSRF vulnerability, taking advantage of the absence of proper nonce validation to add emails to the allowlist without authorization.

Remediation

Users are advised to update the Stop Spammers Classic WordPress plugin to version 2026.2 or later.