WordPress Anti-Spam Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the WordPress Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms plugin, affecting all versions through 2024.7. The vulnerability arises from inadequate nonce validation in the 'ss_option_maint.php' and 'ss_user_filter_list' files. This flaw allows unauthenticated attackers to delete pending comments and re-enable previously blocked users by tricking site administrators into performing certain actions, such as clicking a link.

Impact

Exploitation of this vulnerability could lead to unauthorized deletion of pending comments and the reactivation of blocked users.

Reproduction

To reproduce this vulnerability, an attacker must exploit the Cross-Site Request Forgery flaw by sending a forged request that deletes pending comments or re-enables a blocked user. This can be done by tricking an administrator into clicking a link that contains the malicious request.