Description
The OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) plugin for WordPress is vulnerable to IP Header Spoofing in all versions up to, and including, 1.2.53. This is due to the plugin trusting client-controlled forwarded headers (such as CF-Connecting-IP, X-Forwarded-For, and others) without verifying that those headers originate from legitimate, trusted proxies. This makes it possible for unauthenticated attackers to spoof their IP address and bypass IP-based security controls, including blocked IP lists and rate limiting protections, by sending arbitrary HTTP headers with their requests.
Published: 2025-10-31
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Bypass IP-based restrictions via header spoofing
Action: Patch Upgrade
AI Analysis

Impact

The OOPSpam Anti‑Spam plugin for WordPress is vulnerable to IP header spoofing in all releases up to 1.2.53. The code trusts client‑controlled forwarded headers such as CF‑Connecting‑IP and X‑Forwarded‑For without confirming that they originate from trusted proxies. An attacker who can send arbitrary HTTP headers can therefore change the apparent source address of a request. This flaw enables unauthenticated users to bypass IP‑based defenses, including blacklists and rate‑limiting, and could be used to flood forms or comments from whitelisted IP ranges, ignoring security controls that rely on IP reputation.

Affected Systems

The affected software is the OOPSpam Anti-Spam plugin named "Spam Protection for WordPress Forms & Comments (No CAPTCHA)". All installed versions through 1.2.53 are vulnerable; newer releases are presumed fixed.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, while the EPSS score of less than 1% suggests a low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog, further indicating limited exploitation activity. Attackers can exploit the flaw remotely by modifying outbound HTTP headers on any client connected to the WordPress site, provided the server accepts forwarded headers without validation. Because the attack requires no authentication and the input is untrusted, the risk is primarily to the integrity of IP‑based control mechanisms rather than to system compromise.

Generated by OpenCVE AI on April 21, 2026 at 01:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the OOPSpam plugin to a version later than 1.2.53, which removes the acceptance of unverified forwarded headers.
  • Configure the web server (Apache, Nginx, etc.) to strip or ignore forwarded headers unless the request originates from a known, trusted reverse proxy.
  • Limit the use of IP‑based controls in the application until the plugin update has been applied, and review any custom security rules that may rely on header values.

Generated by OpenCVE AI on April 21, 2026 at 01:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 03 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Oopspam
Oopspam oopspam Anti-spam
Wordpress
Wordpress wordpress
Vendors & Products Oopspam
Oopspam oopspam Anti-spam
Wordpress
Wordpress wordpress

Fri, 31 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 31 Oct 2025 08:45:00 +0000

Type Values Removed Values Added
Description The OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) plugin for WordPress is vulnerable to IP Header Spoofing in all versions up to, and including, 1.2.53. This is due to the plugin trusting client-controlled forwarded headers (such as CF-Connecting-IP, X-Forwarded-For, and others) without verifying that those headers originate from legitimate, trusted proxies. This makes it possible for unauthenticated attackers to spoof their IP address and bypass IP-based security controls, including blocked IP lists and rate limiting protections, by sending arbitrary HTTP headers with their requests.
Title OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) <= 1.2.53 - Unauthenticated IP Header Spoofing
Weaknesses CWE-693
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Oopspam Oopspam Anti-spam
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:17:07.369Z

Reserved: 2025-10-22T19:21:34.626Z

Link: CVE-2025-12094

cve-icon Vulnrichment

Updated: 2025-10-31T14:18:35.345Z

cve-icon NVD

Status : Deferred

Published: 2025-10-31T09:15:46.050

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12094

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:00:12Z

Weaknesses