WP-Safety

Stop Spammers Classic Security & Risk Analysis

wordpress.org/plugins/stop-spammer-registrations-plugin

A simplified, restored, and preserved version of the original Stop Spammers plugin.

30K active installs v2026.3 PHP 5.0+ WP 3.0+ Updated Feb 24, 2026
anti-spamno-spamsecurityspamspam-protection
89
A · Safe
CVEs total8
Unpatched0
Last CVEJan 27, 2026
Plugin page Download
Safety Verdict

Is Stop Spammers Classic Safe to Use in 2026?

Generally Safe

Score 89/100

Stop Spammers Classic has a strong security track record. Known vulnerabilities have been patched promptly.

8 known CVEsLast CVE: Jan 27, 2026Updated 1mo ago
Risk Assessment

The "stop-spammer-registrations-plugin" v2026.3 exhibits a mixed security posture. On the positive side, the plugin demonstrates good development practices with 100% of SQL queries using prepared statements and all output properly escaped. It also has a substantial number of nonce and capability checks, indicating an awareness of common WordPress security mechanisms. The static analysis reveals a small attack surface with all entry points protected by authentication checks.

However, significant concerns arise from the vulnerability history. The plugin has a history of 8 known CVEs, including one critical and seven medium severity vulnerabilities. This suggests recurring security weaknesses within the plugin's codebase. The common vulnerability types (CSRF, Deserialization, XSS) indicate potential issues with input validation and handling of user-supplied data, despite the taint analysis showing only one flow with unsanitized paths. The presence of the `unserialize` function, while not flagged as critical in the taint analysis for this version, is a known risk factor for deserialization vulnerabilities, especially if coupled with untrusted data sources.

In conclusion, while the current version's static analysis shows improved secure coding practices in terms of SQL and output handling, the plugin's past vulnerability landscape is a major red flag. The history of critical and medium severity vulnerabilities, particularly those related to deserialization, necessitates a cautious approach. Users should be aware that despite the current analysis, past patterns of exploitable flaws may persist or be reintroduced in future updates.

Key Concerns

  • History of critical CVEs
  • History of medium CVEs
  • Presence of dangerous function (unserialize)
  • Flow with unsanitized paths
Vulnerabilities
8

Stop Spammers Classic Security Vulnerabilities

CVEs by Year

2 CVEs in 2021
2021
1 CVE in 2022
2022
2 CVEs in 2023
2023
1 CVE in 2024
2024
1 CVE in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Critical
1
Medium
7

8 total CVEs

CVE-2025-14795medium · 4.3Cross-Site Request Forgery (CSRF)

Stop Spammers Classic <= 2026.1 - Cross-Site Request Forgery via Email Allowlist

Jan 27, 2026 Patched in 2026.2 (2d)
CVE-2025-2935medium · 5.4Cross-Site Request Forgery (CSRF)

Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms <= 2024.7 - Cross-Site Request Forgery to Multiple Administrative Actions

Jun 5, 2025 Patched in 2025 (134d)
CVE-2023-7065medium · 5.4Cross-Site Request Forgery (CSRF)

Stop Spammers Security | Block Spam Users, Comments, Forms <= 2024.4 - Cross-Site Request Forgery (CSRF) via sfs_process

May 3, 2024 Patched in 2024.5 (88d)
CVE-2023-2488medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Stop Spammers Security <= 2022.6 - Reflected Cross-Site Scripting

May 15, 2023 Patched in 2023 (253d)
CVE-2023-2489medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Stop Spammers Security <= 2022.6 - Authenticated (Admin+) Stored Cross-Site Scripting

May 15, 2023 Patched in 2023 (253d)
CVE-2022-4120critical · 9.8Deserialization of Untrusted Data

Stop Spammers Security <= 2022.5 - Unauthenticated PHP Object Injection

Dec 5, 2022 Patched in 2022.6 (414d)
CVE-2021-24517medium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Stop Spammers Security <= 2021.17 - Authenticated (Admin+) Stored Cross-Site Scripting

Aug 9, 2021 Patched in 2021.18 (897d)
CVE-2021-24245medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Stop Spammers <= 2021.8 - Reflected Cross-Site Scripting

Apr 8, 2021 Patched in 2021.9 (1020d)
Code Analysis
Analyzed Mar 16, 2026

Stop Spammers Classic Code Analysis

Dangerous Functions
4
Raw SQL Queries
0
10 prepared
Unescaped Output
0
424 escaped
Nonce Checks
30
Capability Checks
13
File Operations
8
External Requests
5
Bundled Libraries
0

Dangerous Functions Found

unserialize$_POST = unserialize( base64_decode( $kp ), ['allowed_classes' => false] );classes\ss_challenge.php:101
unserialize$_POST = unserialize( base64_decode( $kp ), ['allowed_classes' => false] );classes\ss_challenge.php:133
unserialize$_POST = unserialize( base64_decode( $kp ), ['allowed_classes' => false] );classes\ss_challenge.php:196
unserialize$_POST = unserialize( base64_decode( $kp ), ['allowed_classes' => false] );classes\ss_challenge.php:220

SQL Query Safety

100% prepared10 total queries

Output Escaping

100% escaped424 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

17 flows1 with unsanitized paths
sfs_handle_ajax_sfs_process_watch (includes\ss-admin-options.php:403)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Stop Spammers Classic Attack Surface

Entry Points2
Unprotected0

AJAX Handlers 2

authwp_ajax_sfs_subincludes\ss-admin-options.php:32
authwp_ajax_sfs_processincludes\ss-admin-options.php:36
WordPress Hooks 39
actionmu_rightnow_endincludes\ss-admin-options.php:16
filterplugin_row_metaincludes\ss-admin-options.php:18
filterwpmu_users_columnsincludes\ss-admin-options.php:19
actionadmin_menuincludes\ss-admin-options.php:21
actionrightnow_endincludes\ss-admin-options.php:22
filtermanage_users_columnsincludes\ss-admin-options.php:24
actionnetwork_admin_menuincludes\ss-admin-options.php:27
filtercomment_row_actionsincludes\ss-admin-options.php:29
actionmanage_users_custom_columnincludes\ss-admin-options.php:37
actionadmin_enqueue_scriptsincludes\ss-admin-options.php:45
actionadmin_initincludes\stop-spam-utils.php:175
actionadmin_print_stylesstop-spammer-registrations-new.php:51
actionadmin_noticesstop-spammer-registrations-new.php:64
actionadmin_initstop-spammer-registrations-new.php:74
actionadmin_noticesstop-spammer-registrations-new.php:85
actionadmin_initstop-spammer-registrations-new.php:96
actioninitstop-spammer-registrations-new.php:99
filterss_addons_allowstop-spammer-registrations-new.php:102
filterss_addons_blockstop-spammer-registrations-new.php:103
filterss_addons_getstop-spammer-registrations-new.php:104
filterpre_user_loginstop-spammer-registrations-new.php:137
actionakismet_spam_caughtstop-spammer-registrations-new.php:150
actionuser_registerstop-spammer-registrations-new.php:183
actionwp_loginstop-spammer-registrations-new.php:184
actiontemplate_redirectstop-spammer-registrations-new.php:258
actionss_stop_spam_caughtstop-spammer-registrations-new.php:259
actionss_stop_spam_okstop-spammer-registrations-new.php:260
actionlogin_formstop-spammer-registrations-new.php:265
actionregister_formstop-spammer-registrations-new.php:268
actioncomment_form_after_fieldsstop-spammer-registrations-new.php:271
actioninitstop-spammer-registrations-new.php:728
filtermanage_users_columnsstop-spammer-registrations-new.php:731
actionmanage_users_custom_columnstop-spammer-registrations-new.php:732
filtermanage_users_sortable_columnsstop-spammer-registrations-new.php:733
filterrequeststop-spammer-registrations-new.php:734
actionwpstop-spammer-registrations-new.php:842
filterauthenticatestop-spammer-registrations-new.php:1001
filterregistration_errorsstop-spammer-registrations-new.php:1014
filterpre_comment_approvedstop-spammer-registrations-new.php:1027
Maintenance & Trust

Stop Spammers Classic Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 24, 2026
PHP min version5.0
Downloads2.6M

Community Trust

Rating88/100
Number of ratings243
Active installs30K
Alternatives

Stop Spammers Classic Alternatives

Dam Spam

Dam Spam

dam-spam

A
99

Comprehensive spam protection for WordPress registration, login, comments, and contact forms.

1K 1 CVE
Universal Honey Pot

Universal Honey Pot

universal-honey-pot

A
100

Universal Honey Pot is a powerful and user-friendly WordPress plugin that provides a plug-and-play solution for protecting your forms against unwanted &hellip;

1K No CVEs
SpamShieldX

SpamShieldX

automatic-break-iframes

A
100

SpamShieldX is the ultimate solution for protecting your WordPress website from spam and iframe abuse. Our plugin blocks malicious iframes and prevent &hellip;

10 No CVEs
Mathematical Captcha Applier

Mathematical Captcha Applier

mathematical-captcha-applier

A
100

Apply a simple mathematical captcha to specific buttons by providing their CSS class or ID to prevent spamming.

0 No CVEs
Tiny Comment Spam Blocker

Tiny Comment Spam Blocker

tiny-comment-spam-blocker

A
100

A simple and lightweight yet rock-solid plugin that blocks comment spam using multiple automatic detection methods.

0 No CVEs
Developer Profile

Stop Spammers Classic Developer Profile

Web Guy

30 plugins · 52K total installs

79
trust score
Avg Security Score
100/100
Avg Patch Time
629 days
View full developer profile
Detection Fingerprints

How We Detect Stop Spammers Classic

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/stop-spammer-registrations-plugin/css/admin.css
Version Parameters
stop-spammer-registrations-plugin/css/admin.css?ver=

HTML / DOM Fingerprints

CSS Classes
noticenotice-warningnotice-info
Data Attributes
data-ss-message
JS Globals
SS_VERSIONSS_PLUGIN_URLSS_PLUGIN_FILESS_MU
FAQ

Frequently Asked Questions about Stop Spammers Classic