Description
The Comment SPAM Wiper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'API Key' setting in all versions up to, and including, 1.2.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2026-03-21
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The Comment SPAM Wiper plugin for WordPress stores the value of the "API Key" setting without performing proper input validation or output escaping. The plugin subsequently renders this value on every page, so an authenticated user with Administrator or higher privileges can inject arbitrary JavaScript that will be executed in the browsers of any visitor who loads a page containing the stored value. This stored Cross‑Site Scripting flaw allows the attacker to run client‑side code that could harvest data, manipulate page content, or perform actions on behalf of the user, but only when the plugin’s configuration is displayed.

Affected Systems

The vulnerability affects the intermod Comment SPAM Wiper plugin for WordPress in all releases up to and including version 1.2.1. It applies to multi‑site installations where the unfiltered_html capability is disabled, and does not affect other WordPress components or plugins.

Risk and Exploitability

The CVSS base score of 4.4 indicates a moderate impact if the conditions are met. No EPSS data is available and the flaw is not listed in the CISA KEV catalog. Exploitation requires an account with Administrator or higher privileges to modify the "API Key" field; once the malicious payload is stored, it will automatically execute for all site visitors without additional action. The risk is confined to sites that enable the plugin under the specified conditions, but the impact of successful exploitation is the full range of cross‑site scripting attacks on site users.

Generated by OpenCVE AI on March 21, 2026 at 07:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Comment SPAM Wiper plugin to a version newer than 1.2.1 as soon as an update is released.
  • If a patch is unavailable, uninstall or deactivate the plugin to eliminate the storage vector.
  • Ensure that the unfiltered_html capability is disabled for non‑administrator roles to limit exposure to stored scripts.
  • Regularly review the plugin configuration for unexpected script tags to detect possible exploitation attempts.

Generated by OpenCVE AI on March 21, 2026 at 07:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Intermod
Intermod comment Spam Wiper
Wordpress
Wordpress wordpress
Vendors & Products Intermod
Intermod comment Spam Wiper
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The Comment SPAM Wiper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'API Key' setting in all versions up to, and including, 1.2.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title Comment SPAM Wiper <= 1.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'API Key' Setting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Intermod Comment Spam Wiper
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:24:18.651Z

Reserved: 2026-02-27T17:03:29.846Z

Link: CVE-2026-3353

cve-icon Vulnrichment

Updated: 2026-03-23T15:07:32.782Z

cve-icon NVD

Status : Deferred

Published: 2026-03-21T04:17:21.917

Modified: 2026-04-24T16:27:44.277

Link: CVE-2026-3353

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:41:39Z

Weaknesses