OOPSpam Anti-Spam < 1.2.54 – Unauthenticated IP Header Spoofing | CVE 2025-12094 | Plugin Vulnerabilities

Description

The plugin is vulnerable to IP Header Spoofing due to the plugin trusting client-controlled forwarded headers (such as CF-Connecting-IP, X-Forwarded-For, and others) without verifying that those headers originate from legitimate, trusted proxies. This makes it possible for unauthenticated attackers to spoof their IP address and bypass IP-based security controls, including blocked IP lists and rate limiting protections, by sending arbitrary HTTP headers with their requests.

Affects Plugins

oopspam-anti-spam

Fixed in 1.2.54

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/b5137bc2-912b-4e25-966e-515e8d9fc21c

Classification

Type

SPOOFING

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Jonas Benjamin Friedli

Verified

No

WPVDB ID

fd880e66-1847-45e3-9b82-6d9ad6105ba8

Timeline

Publicly Published

2025-10-30 (about 6 months ago)

Added

2025-10-31 (about 6 months ago)

Last Updated

2025-10-31 (about 6 months ago)

Other

Published

Title

Published

2025-03-21

Title

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder < 6.0.0 - IP-Spoofing

Published

2023-11-21

Title

Maspik – Spam blacklist < 0.10.4 - IP Validation Bypass

Published

2024-09-18

Title

Limit Login Attempts Plus <= 1.1.0 - IP Address Spoofing to Protection Mechanism Bypass

Published

2024-09-16

Title

Maintenance Redirect < 2.1.0 - IP Spoofing to Maintenance Mode Bypass

Published

2025-10-09

Title

All In One Login 2.0.8 - IP Sooofing to Protection Mechanism Bypass