The Project Honey Pot Spam Trap plugin for WordPress, developed by awensley, is vulnerable to a Cross-Site Request Forgery (CSRF) attack identified as CVE-2025-12406. This vulnerability exists in all versions up to and including 1.0.1 due to missing or incorrect nonce validation in the printAdminPage() function, which is responsible for rendering the plugin's administrative interface. Nonces are security tokens used to verify that requests to perform sensitive actions originate from legitimate users and not from forged requests. The absence or improper implementation of nonce checks allows attackers to craft malicious web requests that, when visited or triggered by an authenticated site administrator, can cause unauthorized changes to plugin settings or injection of malicious web scripts. The attack requires no authentication on the attacker’s part but does require user interaction, specifically the administrator clicking a malicious link or visiting a crafted webpage. The vulnerability impacts the confidentiality and integrity of the affected WordPress site by enabling unauthorized configuration changes and potential script injection, which could be leveraged for further attacks such as privilege escalation or data theft. The CVSS v3.1 score of 6.1 reflects the medium severity, with a network attack vector, low attack complexity, no privileges required, user interaction required, and a scope change indicating that the vulnerability affects components beyond the immediate vulnerable plugin. Currently, there are no known exploits in the wild, but the vulnerability poses a significant risk to sites using this plugin without mitigation or patching.

This vulnerability can allow attackers to manipulate the settings of the Project Honey Pot Spam Trap plugin without authentication by exploiting administrative user sessions. Unauthorized changes could disable spam protection or inject malicious scripts, potentially leading to further compromise such as cross-site scripting (XSS), data leakage, or unauthorized access to sensitive information. The integrity of the website’s security controls is undermined, and confidentiality may be breached if malicious scripts exfiltrate data or perform unauthorized actions. Although availability is not directly impacted, the resulting compromise could lead to broader attacks affecting site stability or user trust. Organizations relying on this plugin risk exposure to targeted attacks, especially if administrators are tricked into clicking malicious links. The scope of impact extends beyond the plugin itself, potentially affecting the entire WordPress site and its users.

1. Immediate mitigation involves updating the Project Honey Pot Spam Trap plugin to a version that includes proper nonce validation once available. Since no patch links are currently provided, monitor official sources for updates. 2. Until a patch is released, restrict administrative access to trusted networks or use VPNs to reduce exposure to CSRF attacks. 3. Implement web application firewall (WAF) rules to detect and block suspicious requests that attempt to exploit CSRF vectors targeting the plugin’s admin pages. 4. Educate administrators to avoid clicking on unsolicited or suspicious links while logged into the WordPress admin panel. 5. Employ security plugins that add additional CSRF protections or nonce enforcement for administrative actions. 6. Regularly audit plugin configurations and monitor logs for unusual changes or access patterns. 7. Consider disabling or removing the plugin if it is not essential to reduce attack surface until a secure version is available.