The Stop Spammers Classic WordPress plugin contains a Cross‑Site Request Forgery flaw caused by omitted nonce validation in the ss_addtoallowlist class. This flaw enables an attacker to forge a request that adds an email address to the spam allowlist. An attacker normally needs only a simple link to trick a site administrator into clicking and executing the request, but no authentication is required. The result is that unwanted email addresses can be whitelisted, potentially letting spammers bypass the plugin’s filtering logic and undermining the spam protection provided by the site. While this does not directly leak sensitive data or allow code execution, it erodes the integrity of the spam filtering process.

WordPress sites running the webguyio Stop Spammers Classic plugin, versions up to and inclusive of 2026.1. Any deployment of these versions should be considered at risk until updated.

The vulnerability is rated CVSS 4.3, indicating moderate severity. The EPSS score is less than 1%, suggesting that exploitation is relatively rare at present. It is not listed in the CISA KEV catalog. The attack path is straightforward: an unauthenticated web request made by a victim (e.g., a site administrator) that includes the necessary parameters to add an email address to the allowlist. Because the flaw is limited to the lack of nonce validation, exploitation requires no additional privileges beyond the administrator’s existing access level. The overall risk is therefore moderate, but the impact on spam prevention could be significant if an attacker successfully populates the allowlist with malicious addresses.