vulnerability
WordPress Plugin: oopspam-anti-spam: CVE-2025-12094: Protection Mechanism Failure
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:N/C:N/I:P/A:N) | Oct 30, 2025 | Oct 31, 2025 | Nov 3, 2025 |
Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
Published
Oct 30, 2025
Added
Oct 31, 2025
Modified
Nov 3, 2025
Description
The OOPSpam Anti-Spam: Spam Protection for WordPress Forms and Comments (No CAPTCHA) plugin for WordPress is vulnerable to IP Header Spoofing in all versions up to, and including, 1.2.53. This is due to the plugin trusting client-controlled forwarded headers (such as CF-Connecting-IP, X-Forwarded-For, and others) without verifying that those headers originate from legitimate, trusted proxies. This makes it possible for unauthenticated attackers to spoof their IP address and bypass IP-based security controls, including blocked IP lists and rate limiting protections, by sending arbitrary HTTP headers with their requests.
Solution
oopspam-anti-spam-plugin-cve-2025-12094
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.