Description
Missing Authorization vulnerability in jwpegram Block Spam By Math Reloaded block-spam-by-math-reloaded allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Block Spam By Math Reloaded: from n/a through <= 2.2.4.
Published: 2025-03-11
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw that permits users to invoke plugin functionality that should be limited to privileged administrators. An attacker could leverage these uncovered endpoints to manipulate spam filtering behavior, potentially bypassing the site’s spam protection or injecting harmful content. The flaw is identified as CWE‑862, representing a broken access control weakness that compromises the confidentiality and integrity of site data.

Affected Systems

WordPress sites that have the Block Spam By Math Reloaded plugin installed at any version up to and including 2.2.4 are affected. The vulnerability applies to all installations regardless of user role, as the plugin fails to enforce ACL checks on its exposed actions.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate security impact. An exploit is considered low probability with an EPSS score of less than 1%; the vulnerability is not listed in the CISA KEV catalog. Based on the report, an attacker could reach the vulnerable functions via HTTP requests directed at the plugin’s endpoints, potentially from an unauthenticated or non‑admin user account. The attack vector is inferred, as the description states the absence of proper authorization checks.

Generated by OpenCVE AI on May 1, 2026 at 14:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Block Spam By Math Reloaded plugin to the latest available version.
  • If an upgrade cannot be performed immediately, deactivate or uninstall the plugin to block access to the vulnerable functionality.
  • In the meantime, limit the plugin’s exposed capabilities to administrator accounts only by configuring WordPress role permissions or using a security plugin to block non‑admin access to the plugin’s endpoints.

Generated by OpenCVE AI on May 1, 2026 at 14:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7840 Missing Authorization vulnerability in jwpegram Block Spam By Math Reloaded allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Block Spam By Math Reloaded: from n/a through 2.2.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in jwpegram Block Spam By Math Reloaded allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Block Spam By Math Reloaded: from n/a through 2.2.4. Missing Authorization vulnerability in jwpegram Block Spam By Math Reloaded block-spam-by-math-reloaded allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Block Spam By Math Reloaded: from n/a through <= 2.2.4.
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00073}

 epss

{'score': 0.00101}

Wed, 09 Apr 2025 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Jwpegram
Jwpegram block Spam By Math Reloaded
CPEs cpe:2.3:a:jwpegram:block_spam_by_math_reloaded:*:*:*:*:*:wordpress:*:*
Vendors & Products Jwpegram
Jwpegram block Spam By Math Reloaded

Wed, 12 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 11 Mar 2025 21:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in jwpegram Block Spam By Math Reloaded allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Block Spam By Math Reloaded: from n/a through 2.2.4.
Title WordPress Block Spam By Math Reloaded plugin <= 2.2.4 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Jwpegram Block Spam By Math Reloaded
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:49.409Z

Reserved: 2025-03-11T08:08:49.775Z

Link: CVE-2025-28872

cve-icon Vulnrichment

Updated: 2025-03-12T13:45:05.765Z

cve-icon NVD

Status : Modified

Published: 2025-03-11T21:15:44.757

Modified: 2026-06-17T09:04:48.200

Link: CVE-2025-28872

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T14:15:20Z

Weaknesses