CVE-2025-14795 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the Stop Spammers Classic plugin for WordPress, developed by webguyio. The vulnerability exists due to the absence of nonce validation in the ss_addtoallowlist class, which handles adding email addresses to the spam allowlist. Without nonce checks, an attacker can craft a malicious request that, when executed by an authenticated site administrator (via clicking a link or visiting a crafted webpage), adds arbitrary email addresses to the allowlist. This bypasses intended spam filtering controls, potentially allowing spam or malicious emails to bypass defenses. The vulnerability affects all plugin versions up to and including 2026.1, with a partial patch applied in 2026.1. The CVSS v3.1 score is 4.3 (medium severity), reflecting that the attack vector is network-based, requires no privileges, but does require user interaction. The impact is limited to integrity, as confidentiality and availability are not affected. No known exploits have been reported in the wild, but the vulnerability poses a risk to WordPress sites using this plugin, especially those with administrators who might be tricked into clicking malicious links. The plugin is widely used in WordPress environments, which are prevalent globally, making this a relevant concern for many organizations relying on WordPress for their web presence.

The primary impact of this vulnerability is on the integrity of spam filtering configurations within affected WordPress sites. By adding arbitrary email addresses to the spam allowlist, attackers can enable spam or malicious emails to bypass filtering mechanisms, increasing the risk of phishing, malware delivery, or social engineering attacks via email. While the vulnerability does not directly compromise confidentiality or availability, it weakens the site's defenses against unwanted or harmful emails, potentially leading to secondary attacks or user compromise. Organizations with high reliance on email filtering and WordPress-based websites are at risk of degraded security posture. Since exploitation requires tricking an administrator into clicking a link, social engineering remains a key risk factor. The partial patch in version 2026.1 reduces risk for updated sites, but unpatched instances remain vulnerable. The absence of known exploits in the wild suggests limited current exploitation but does not preclude future attacks.

1. Update the Stop Spammers Classic plugin to the latest version beyond 2026.1 where the partial patch is applied; monitor for further updates that fully address the issue. 2. Implement additional CSRF protections at the WordPress site level, such as enforcing nonce validation for all state-changing requests and using security plugins that add CSRF defenses. 3. Educate site administrators about the risks of clicking unsolicited or suspicious links, especially those that could trigger administrative actions. 4. Restrict administrative access to trusted networks or use multi-factor authentication to reduce the risk of unauthorized actions. 5. Regularly audit the spam allowlist and other critical configurations for unauthorized changes. 6. Employ web application firewalls (WAFs) with rules to detect and block suspicious CSRF attempts targeting the plugin endpoints. 7. Monitor logs for unusual POST requests to the plugin’s allowlist functionality to detect potential exploitation attempts early.