WordPress Plugin Vulnerabilities

Stop Spammers Security | Block Spam Users, Comments, Forms < 2024.5 - Cross-Site Request Forgery (CSRF) via sfs_process

Description

The Stop Spammers Security | Block Spam Users, Comments, Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2024.4. This is due to missing or incorrect nonce validation on the sfs_process AJAX action. This makes it possible for unauthenticated attackers to add arbitrary IPs to the plugin's allowlist and blocklist via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
stop-spammer-registrations-plugin
Fixed in 2024.5

References

CVE
CVE-2023-7065
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/1998cadb-2eb3-4819-aa7c-59e4f777c7f8

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
f4241f58-6101-437b-acda-dfdd0f9fea47

Timeline

Publicly Published
2024-05-03 (about 2 years ago)
Added
2024-05-03 (about 2 years ago)
Last Updated
2024-05-03 (about 2 years ago)

Other

Published
Title
Published
2025-04-01
Title
Append Content <= 2.1.1 - Cross-Site Request Forgery to Settings Update
Published
2018-05-15
Title
Metronet Tag Manager < 1.2.9 - Cross-Site Request Forgery (CSRF)
Published
2025-03-31
Title
Elfsight Testimonials Slider <= 1.0.1 - Cross-Site Request Forgery to Settings Update
Published
2025-09-05
Title
Table of content <= 1.5.3.1 - Cross-Site Request Forgery
Published
2024-12-12
Title
WP Flipkart Importer <= 1.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting