WP-Safety

OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) Security & Risk Analysis

wordpress.org/plugins/oopspam-anti-spam

Protect your forms from spam with 99.9% accuracy - no CAPTCHA, no JavaScript, no tracking. Trusted by 3.5M+ websites.

6K active installs v1.2.67 PHP + WP 3.6+ Updated Mar 30, 2026
anti-spamcontact-formsform-protectionsecurityspam-blocker
93
A · Safe
CVEs total4
Unpatched0
Last CVEMar 23, 2026
Plugin page Download
Safety Verdict

Is OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) Safe to Use in 2026?

Generally Safe

Score 93/100

OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

4 known CVEsLast CVE: Mar 23, 2026Updated 1mo ago
Risk Assessment

The "oopspam-anti-spam" plugin, version 1.2.64, exhibits a mixed security posture. While it demonstrates good practices in SQL query preparation and output escaping, with 81% and 80% respectively, several significant concerns arise from the static analysis. The presence of 8 AJAX handlers, with half of them lacking authentication checks, creates a substantial attack surface. This, combined with taint analysis revealing two flows with unsanitized paths, one of which is of high severity, suggests potential vulnerabilities that could be exploited by attackers. The plugin's historical vulnerability record, with 3 known medium-severity CVEs including Protection Mechanism Failure, CSRF, and XSS, further underscores the need for vigilance. Although there are no currently unpatched vulnerabilities, the pattern of past issues indicates a recurring need for robust security patching and development practices. Overall, while the plugin has some strengths, the unprotected entry points and identified taint issues present a clear risk that requires attention.

Key Concerns

  • Unprotected AJAX handlers
  • High severity unsanitized taint flows
  • Medium severity CVEs in history
  • Unsanitized paths in taint analysis
  • File operations present
  • External HTTP requests present
Vulnerabilities
4 published

OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) Security Vulnerabilities

CVEs by Year

2 CVEs in 2023
2023
1 CVE in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
1
Medium
3

4 total CVEs

CVE-2026-32544high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) <= 1.2.62 - Unauthenticated Stored Cross-Site Scripting

Mar 23, 2026 Patched in 1.2.63 (4d)
CVE-2025-12094medium · 5.3Protection Mechanism Failure

OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) <= 1.2.53 - Unauthenticated IP Header Spoofing

Oct 30, 2025 Patched in 1.2.54 (1d)
CVE-2023-35913medium · 5.4Cross-Site Request Forgery (CSRF)

OOPSpam Anti-Spam <= 1.1.44 - Cross-Site Request Forgery via empty_ham_entries and empty_spam_entries

Jun 21, 2023 Patched in 1.1.45 (216d)
CVE-2023-22716medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

OOPSpam Anti-Spam <= 1.1.35 - Authenticated (Admin+) Stored Cross-Site Scripting

Jan 17, 2023 Patched in 1.1.36 (371d)
Version History

OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) Release Timeline

v1.2.67Current
v1.2.66
v1.2.65
v1.2.64
v1.2.63
v1.2.621 CVE
CVE-2026-32544
v1.2.611 CVE
CVE-2026-32544
v1.2.601 CVE
CVE-2026-32544
v1.2.591 CVE
CVE-2026-32544
v1.2.581 CVE
CVE-2026-32544
v1.2.571 CVE
CVE-2026-32544
v1.2.561 CVE
CVE-2026-32544
v1.2.551 CVE
CVE-2026-32544
v1.2.541 CVE
CVE-2026-32544
v1.2.532 CVEs
CVE-2026-32544 CVE-2025-12094
v1.2.522 CVEs
CVE-2026-32544 CVE-2025-12094
v1.2.512 CVEs
CVE-2026-32544 CVE-2025-12094
v1.2.502 CVEs
CVE-2026-32544 CVE-2025-12094
v1.2.492 CVEs
CVE-2026-32544 CVE-2025-12094
v1.2.482 CVEs
CVE-2026-32544 CVE-2025-12094
Code Analysis
Analyzed Mar 16, 2026

OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) Code Analysis

Dangerous Functions
0
Raw SQL Queries
10
42 prepared
Unescaped Output
157
620 escaped
Nonce Checks
16
Capability Checks
7
File Operations
7
External Requests
5
Bundled Libraries
0

SQL Query Safety

81% prepared52 total queries

Output Escaping

80% escaped777 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

8 flows2 with unsanitized paths
process_bulk_action (include\UI\display-ham-entries.php:644)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) Attack Surface

Entry Points8
Unprotected4

AJAX Handlers 8

authwp_ajax_process_bulk_entriesinclude\Background\AsyncProcessor.php:6
authwp_ajax_empty_ham_entriesinclude\UI\display-ham-entries.php:42
authwp_ajax_export_ham_entriesinclude\UI\display-ham-entries.php:129
authwp_ajax_empty_spam_entriesinclude\UI\display-spam-entries.php:49
authwp_ajax_export_spam_entriesinclude\UI\display-spam-entries.php:137
authwp_ajax_update_cloud_providers_settingoptions.php:28
authwp_ajax_oopspam_refresh_usageoptions.php:5193
authwp_ajax_oopspam_process_wizard_stepsetup-wizard.php:258
WordPress Hooks 94
actionplugins_loadeddb\oopspam-db-ratelimit.php:71
actionplugins_loadeddb\oopspam-spamentries.php:96
filteroopspam_disable_individual_not_spam_emailinclude\Background\AsyncProcessor.php:40
actionadmin_enqueue_scriptsinclude\localize-script.php:19
filtercron_schedulesinclude\oopspam-rate-limiting.php:36
actionadmin_footerinclude\UI\display-ham-entries.php:659
filterset-screen-optioninclude\UI\display-ham-entries.php:750
actionadmin_menuinclude\UI\display-ham-entries.php:751
actionplugins_loadedinclude\UI\display-ham-entries.php:846
actionadmin_footerinclude\UI\display-spam-entries.php:1224
filterset-screen-optioninclude\UI\display-spam-entries.php:1386
actionadmin_menuinclude\UI\display-spam-entries.php:1387
actionplugins_loadedinclude\UI\display-spam-entries.php:1493
actionacf/validate_save_postintegration\AcfFrontEndForm.php:5
filterfusion_form_submission_dataintegration\AvadaForm.php:5
actionfl_module_contact_form_before_sendintegration\BeaverBuilder.php:5
filterbreakdance_form_run_action_emailintegration\BreakdanceForm.php:5
filterbricks/form/validateintegration\BricksForm.php:5
actionbp_signup_validateintegration\Buddypress.php:5
filterwpcf7_spamintegration\ContactForm7.php:5
filterwpcf7_display_messageintegration\ContactForm7.php:93
actionelementor_pro/forms/validationintegration\ElementorForm.php:5
actionfluentform/before_insert_submissionintegration\FluentForms.php:5
filterfrm_validate_entryintegration\FormidableForms.php:5
filterforminator_spam_protectionintegration\Forminator.php:5
actiongive_checkout_error_checksintegration\GiveWP.php:5
filtergform_entry_is_spamintegration\GravityForms.php:5
filtergform_confirmationintegration\GravityForms.php:6
actiongform_partialentries_post_entry_savedintegration\GravityForms.php:8
filtergform_update_statusintegration\GravityForms.php:71
filterhappyforms_validate_submissionintegration\HappyForms.php:5
filterjetpack_contact_form_is_spamintegration\JetpackForms.php:5
actionkadence_blocks_form_submissionintegration\Kadence.php:4
actionkadence_blocks_advanced_form_submission_rejectintegration\Kadence.php:5
filterkadence_blocks_advanced_form_submission_reject_messageintegration\Kadence.php:59
actionmailpoet_subscription_before_subscribeintegration\Mailpoet.php:4
filtermc4wp_form_errorsintegration\MC4WP.php:4
filtermc4wp_form_messagesintegration\MC4WP.php:63
actionmepr-validate-signupintegration\MemberPress.php:4
filtermf_after_validation_checkintegration\Metform.php:5
filterninja_forms_submit_dataintegration\NinjaForms.php:4
filterpiotnetforms/form_builder/validate_pre_submit_formintegration\PionetForms.php:4
filterpmpro_registration_checksintegration\Pmpro.php:4
filterquform_pre_validateintegration\Quform.php:5
filtersurecart/checkout/validateintegration\SureCart.php:5
filtersrfm_before_submissionintegration\SureForms.php:5
filtercred_form_validateintegration\Toolset.php:4
filternewsletters_subscriber_validationintegration\TribulantNewsletters.php:6
filterum_submit_form_errors_hookintegration\UMember.php:4
actionrest_api_initintegration\WooCommerce.php:41
actionwoocommerce_register_formintegration\WooCommerce.php:46
actionwoocommerce_after_checkout_billing_formintegration\WooCommerce.php:47
actionwoocommerce_login_formintegration\WooCommerce.php:48
actionwoocommerce_register_postintegration\WooCommerce.php:52
actionwoocommerce_process_registration_errorsintegration\WooCommerce.php:53
filterwoocommerce_process_login_errorsintegration\WooCommerce.php:54
actionwoocommerce_checkout_processintegration\WooCommerce.php:55
actionwoocommerce_store_api_checkout_order_processedintegration\WooCommerce.php:57
actionwoocommerce_checkout_order_processedintegration\WooCommerce.php:58
actionwoocommerce_new_orderintegration\WooCommerce.php:60
actionwoocommerce_order_save_attribution_dataintegration\WooCommerce.php:62
actionwoocommerce_order_status_failedintegration\WooCommerce.php:65
filterwpdiscuz_before_comment_postintegration\WPDiscuz.php:4
actionwpforms_processintegration\WPForms.php:5
filterregistration_errorsintegration\WPRegistration.php:5
filterwsf_submit_validateintegration\WSForm.php:5
actioninitoopspam-antispam.php:57
actioninitoopspam-antispam.php:63
actionadmin_noticesoopspam-antispam.php:74
actionadmin_noticesoopspam-antispam.php:77
actionplugins_loadedoopspam-antispam.php:128
actionplugins_loadedoopspam-antispam.php:139
actionadmin_initoopspam-antispam.php:142
filtercron_schedulesoopspam-antispam.php:208
actionoopspam_cleanup_spam_entries_cronoopspam-antispam.php:298
actionoopspam_cleanup_ham_entries_cronoopspam-antispam.php:299
actionoopspam_cleanup_ratelimit_entries_cronoopspam-antispam.php:301
actionoopspam_set_default_settingsoopspam-antispam.php:366
filterplugin_action_linksoopspam-antispam.php:381
filterpre_comment_approvedoopspam-antispam.php:1384
filterpre_comment_approvedoopspam-antispam.php:1385
filterpreprocess_commentoopspam-antispam.php:1386
actionadmin_initoopspam-antispam.php:1398
actionpre_get_postsoopspam-antispam.php:1400
actiontransition_comment_statusoopspam-antispam.php:1403
actionadmin_print_stylesoopspam-antispam.php:1487
actionadmin_menuoptions.php:12
actionadmin_initoptions.php:13
actionupdated_optionoptions.php:60
actionupdated_optionoptions.php:86
actionadmin_noticesoptions.php:2311
actionadmin_menusetup-wizard.php:38
actionadmin_enqueue_scriptssetup-wizard.php:53
actionadmin_initsetup-wizard.php:89

Scheduled Events 2

oopspam_cleanup_ham_entries_cron
oopspam_cleanup_spam_entries_cron
Maintenance & Trust

OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 30, 2026
PHP min version
Downloads236K

Community Trust

Rating98/100
Number of ratings45
Active installs6K
Alternatives

OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) Alternatives

Spam Protect for Contact Form 7

Spam Protect for Contact Form 7

wp-contact-form-7-spam-blocker

A
96

Spam Protect for Contact-Form7 protects from spam and bots. Customize defense strategies and monitor blocked attempts. Protect your time effectively!

10K 2 CVEs
A1JSpamGuard

A1JSpamGuard

a1jspamguard

A
100

A1JSpamGuard is a simple and efficient WordPress plugin to block spam in comments, registration forms, and contact forms.

10 No CVEs
FormShield

FormShield

formshield

A
100

FormShield protects your forms from bot spam using advanced pattern matching and behavioral analysis. No annoying captchas, unlimited forms.

10 No CVEs
CloudSecure WP Security

CloudSecure WP Security

cloudsecure-wp-security

A
100

管理画面とログインURLをサイバー攻撃から守る、国産・日本語対応のセキュリティ対策プラグインです。 かんたんな設定を行うだけで、不正アクセスや不正ログインからあなたのWordPressを保護します。

100K No CVEs
reCaptcha by BestWebSoft

reCaptcha by BestWebSoft

google-captcha

A
98

Protect WordPress website forms from spam entries with Google reCAPTCHA.

100K 3 CVEs
Developer Profile

OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) Developer Profile

OOPSpam Team

2 plugins · 6K total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
148 days
View full developer profile
Detection Fingerprints

How We Detect OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA)

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/oopspam-anti-spam/assets/css/oopspam.css/wp-content/plugins/oopspam-anti-spam/assets/js/oopspam.js
Script Paths
/wp-content/plugins/oopspam-anti-spam/assets/js/oopspam.js
Version Parameters
oopspam-anti-spam/assets/css/oopspam.css?ver=oopspam-anti-spam/assets/js/oopspam.js?ver=

HTML / DOM Fingerprints

CSS Classes
oopspam-form-token
Data Attributes
data-oopspam-token
JS Globals
oopspam_vars
FAQ

Frequently Asked Questions about OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA)