A recently discovered WordPress Anti-Spam Plugin – “Stop Spammers Security | Block Spam Users, Comments, Forms” Vulnerability could potentially affect up to 60,000 sites.
This plugin, which is used to prevent spam in comments, forms, and sign-up registrations, was found to have a PHP Object injection vulnerability due to improper sanitization of inputs.
This vulnerability allows base64 encoded user input to be processed, potentially triggering a PHP Object injection vulnerability. You can find more details here!
PHP Object injection vulnerabilities occur when an attacker is able to inject malicious code into a PHP object, allowing them to execute arbitrary code on the server.
These types of vulnerabilities can have serious consequences, including the ability to execute code remotely and potentially access sensitive data. The Open Web Application Security Project (OWASP) classifies this vulnerability as Insecure Deserialization and notes the potential impact as serious.
To address the vulnerability, the Stop Spammers Security plugin was updated to version 2022.6, which includes a fix for the issue.
It is recommended that users of the plugin update to the latest version to protect against potential exploitation by hackers. The official changelog for the plugin notes the update as an enhancement for security.
Read the United States Government National Vulnerability Database Notification here!
What does the “Stop Spammers Security | Block Spam Users, Comments, Forms” WordPress plugin do?
It is designed to prevent spam in comments, forms, and sign-up registrations. It can help to block spam bots and has the ability for users to input IP addresses to block.
The plugin is designed to only allow specific inputs, such as text, images, and email addresses, and filter out any unexpected inputs through a sanitization process. By inspecting and blocking any input that is not expected, the plugin helps to protect against spam and other types of unwanted input.
It is important for WordPress plugins and forms that accept user input to properly sanitize and filter inputs in order to prevent vulnerabilities such as PHP Object injection.