The Stop Registration Spam plugin by tomroyal for WordPress suffers from a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2024-12219. This vulnerability exists in all versions up to and including 1.23 due to missing or incorrect nonce validation mechanisms. Nonces in WordPress are security tokens used to verify that requests originate from legitimate users and not from forged sources. The absence or improper implementation of nonce checks allows attackers to craft malicious web requests that, when executed by an authenticated site administrator (via clicking a link or visiting a malicious page), perform unauthorized actions within the plugin. These actions could include altering spam registration settings or injecting malicious scripts that compromise site integrity. The vulnerability requires no prior authentication but does require user interaction, specifically the administrator clicking a malicious link. The CVSS 3.1 base score is 6.1, reflecting medium severity with attack vector as network, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality and integrity but not availability. No public exploits are currently known, but the vulnerability poses a risk to WordPress sites using this plugin, especially those with high administrative traffic and exposure. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for immediate mitigation.

This vulnerability can lead to unauthorized changes in the Stop Registration Spam plugin settings, potentially allowing attackers to bypass spam protections or inject malicious scripts that compromise site confidentiality and integrity. While availability is not affected, the unauthorized modification of spam controls can degrade site security and user trust. Attackers could exploit this to facilitate further attacks such as spam registrations, phishing, or malware distribution. Organizations relying on this plugin for spam prevention may experience increased spam registrations, data leakage, or site defacement. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially in environments with high administrator activity. The medium severity rating reflects a moderate but significant threat, particularly for high-profile or high-traffic WordPress sites.

Administrators should immediately verify if their WordPress sites use the tomroyal Stop Registration Spam plugin and identify the version installed. Until an official patch is released, consider temporarily disabling the plugin or restricting administrative access to trusted networks to reduce exposure. Implement additional web application firewall (WAF) rules to detect and block suspicious CSRF attempts targeting plugin endpoints. Educate site administrators about the risks of clicking unknown or suspicious links, especially when logged into WordPress admin panels. Monitor site logs for unusual changes to spam registration settings or unexpected administrative actions. Once a patch is available, promptly update the plugin to the fixed version. Additionally, site owners can implement custom nonce validation or CSRF protection mechanisms at the web server or application level as an interim safeguard.