Description
The Dam Spam plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8. This is due to missing nonce verification on the pending comment deletion action in the cleanup page. This makes it possible for unauthenticated attackers to delete all pending comments via a forged request granted they can trick an admin into performing an action such as clicking on a link.
Published: 2026-02-18
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized deletion of pending comments via CSRF
Action: Update Plugin
AI Analysis

Impact

The Dam Spam plugin for WordPress is vulnerable to Cross‑Site Request Forgery because the pending comment deletion action on the cleanup page lacks nonce verification. An unauthenticated attacker can trick an administrator into clicking a crafted link, causing all pending comments to be deleted. This results in loss of moderation data and disrupts site content integrity. The CVSS score of 4.3 reflects a moderate risk level for this type of data loss attack.

Affected Systems

All installations of the webguyio Dam Spam WordPress plugin with a version of 1.0.8 or earlier are affected. The vulnerability is present in every release up to and including 1.0.8 and can be exploited in any WordPress environment that uses the plugin without additional CSRF safeguards.

Risk and Exploitability

The EPSS score is below 1%, indicating a low probability of exploitation under current conditions, and the issue is not listed in the CISA KEV catalog. The most likely attack vector is a social‑engineering attempt that lures an administrator into visiting a maliciously crafted URL. The absence of nonce checks allows the forged request to be processed without authentication, making the exploit straightforward once the admin acts.

Generated by OpenCVE AI on April 15, 2026 at 17:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Dam Spam plugin to a version newer than 1.0.8.
  • If an upgrade is not possible, edit the cleanup.php file to require nonce verification or disable the pending comment deletion action entirely.
  • Limit access to the cleanup page to trusted administrators and educate them about avoiding suspicious links and understanding CSRF risks.

Generated by OpenCVE AI on April 15, 2026 at 17:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Webguyio
Webguyio dam Spam
Wordpress
Wordpress wordpress
Vendors & Products Webguyio
Webguyio dam Spam
Wordpress
Wordpress wordpress

Wed, 18 Feb 2026 07:45:00 +0000

Type Values Removed Values Added
Description The Dam Spam plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8. This is due to missing nonce verification on the pending comment deletion action in the cleanup page. This makes it possible for unauthenticated attackers to delete all pending comments via a forged request granted they can trick an admin into performing an action such as clicking on a link.
Title Dam Spam <= 1.0.8 - Cross-Site Request Forgery to Arbitrary Pending Comment Deletion
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Webguyio Dam Spam
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:29:22.014Z

Reserved: 2026-02-06T14:33:43.570Z

Link: CVE-2026-2112

cve-icon Vulnrichment

Updated: 2026-02-18T12:25:00.233Z

cve-icon NVD

Status : Deferred

Published: 2026-02-18T08:16:15.637

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2112

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:30:10Z

Weaknesses