Cross-Site Request Forgery Vulnerability in Anti-Spam Plugin for WordPress
CVE-2025-2935

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Anti-spam: Spam Protection | Block Spam Users, Comments, Forms
Vendor: CVE Published:; 6 June 2025

What is CVE-2025-2935?

The Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms plugin for WordPress is susceptible to a Cross-Site Request Forgery attack due to improper nonce validation in specific files. Attackers can exploit this vulnerability to delete pending comments or reactivate blocked users if they successfully trick an administrator into executing malicious requests. This issue is present in all versions up to and including 2024.7, highlighting the importance of securing your WordPress environment against unauthorized actions.

Affected Version(s)

Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms * <= 2024.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/stop-spammer-r...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 6, 2025
Vulnerability Reserved
Mar 28, 2025

Credit

Noah Stead