Description
The Project Honey Pot Spam Trap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the printAdminPage() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-11-18
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via a CSRF‑enabled admin setting update
Action: Patch Now
AI Analysis

Impact

The Project Honey Pot Spam Trap WordPress plugin fails to validate a nonce in its printAdminPage() function. Because the verification is missing or incorrect, an attacker can send a forged request that updates the plugin’s settings and injects malicious script code. The resulting stored XSS is executed whenever an administrator views the injected content, allowing the attacker to execute arbitrary client‑side code in the context of the site. This can lead to session hijacking, defacement, or other injection‑based attacks, compromising the integrity and confidentiality of the site’s administrative interface.

Affected Systems

WordPress users running the Project Honey Pot Spam Trap plugin version 1.0.1 or earlier are affected. All installations of this plugin up to and including 1.0.1 have the missing nonce check in printAdminPage().

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity, and the EPSS score of less than 1% signifies low likelihood of exploitation at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog. An attacker must trick a site administrator into executing a forged request—typically by clicking a malicious link—since the vulnerability is unauthenticated. Once the forged request is sent, the plugin will accept the malicious script and store it, leading to an immediate XSS risk.

Generated by OpenCVE AI on April 21, 2026 at 01:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a patch by updating the Project Honey Pot Spam Trap plugin to a version newer than 1.0.1 where the nonce validation has been restored.
  • Ensure that only trusted administrators have the capability to edit plugin settings, and block or limit direct access to the printAdminPage() function for users without that capability.
  • Configure a CSRF protection layer or web application firewall that validates the presence of a valid wordfence or nonce token on all admin POST requests, preventing forged requests from being processed.

Generated by OpenCVE AI on April 21, 2026 at 01:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 19 Nov 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Awensley
Awensley project Honey Pot Spam Trap
Wordpress
Wordpress wordpress
Vendors & Products Awensley
Awensley project Honey Pot Spam Trap
Wordpress
Wordpress wordpress

Tue, 18 Nov 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 18 Nov 2025 08:45:00 +0000

Type Values Removed Values Added
Description The Project Honey Pot Spam Trap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the printAdminPage() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Project Honey Pot Spam Trap <= 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Awensley Project Honey Pot Spam Trap
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:30:24.057Z

Reserved: 2025-10-28T14:53:21.080Z

Link: CVE-2025-12406

cve-icon Vulnrichment

Updated: 2025-11-18T21:07:35.529Z

cve-icon NVD

Status : Deferred

Published: 2025-11-18T09:15:48.317

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12406

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:45:24Z

Weaknesses