Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Network-reachable WordPress plugin XSS, no auth needed (PR:N), victim must trigger payload (UI:R), script crosses plugin boundary into site context (S:C), partial CIA impact typical of XSS.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Stop Spammers <= 2026.3 versions.
AnalysisAI
Reflected/stored cross-site scripting in the WordPress plugin Stop Spammers (versions 2026.3 and earlier) allows unauthenticated remote attackers to inject malicious scripts that execute in a victim's browser when they interact with crafted content. The flaw carries a CVSS 3.1 base score of 7.1 due to scope change (S:C), and no public exploit identified at time of analysis, though Patchstack has catalogued the issue in its WordPress vulnerability database.
Technical ContextAI
Stop Spammers is a popular WordPress plugin (vendor identifier 'web_guy') designed to block spam comments, registrations, and login attempts. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning the plugin renders attacker-controlled input into HTML without sufficient encoding or sanitization. Because WordPress plugins typically run within the wp-admin or theme rendering pipeline, an XSS payload executes with the privileges of whichever user views the affected page, enabling session theft, admin account hijacking, or arbitrary administrative actions via forged requests. The CPE 'cpe:2.3:a:web_guy:stop_spammers:*' indicates all versions through 2026.3 are in scope.
RemediationAI
Patch available per vendor advisory - upgrade Stop Spammers to a version newer than 2026.3 as published on the WordPress plugin repository, consulting Patchstack's advisory at https://patchstack.com/database/wordpress/plugin/stop-spammer-registrations-plugin/vulnerability/wordpress-stop-spammers-plugin-2026-3-cross-site-scripting-xss-vulnerability for the exact fixed version. Until upgrade is possible, deploy a WordPress-aware WAF (Patchstack, Wordfence, or equivalent) with virtual-patching rules for this CVE, which will filter the offending parameters at the edge with negligible site impact. If neither option is viable, temporarily deactivate the Stop Spammers plugin - the trade-off is loss of spam-blocking functionality and a likely surge in registration/comment spam, so pair it with native WordPress comment moderation and reCAPTCHA on registration forms.
More in Stop Spammers
View allThe Stop Spammers Security | Block Spam Users, Comments, Forms WordPress plugin before 2022.6 passes base64 encoded user
The Stop Spammers Security | Block Spam Users, Comments, Forms WordPress plugin before 2023 does not sanitise and escape
The Stop Spammers WordPress plugin before 2021.9 did not escape user input when blocking requests (such as matching a sp
The Stop Spammers Security | Block Spam Users, Comments, Forms WordPress plugin before 2021.18 does not escape some of i
The Stop Spammers Security | Block Spam Users, Comments, Forms WordPress plugin before 2023 does not sanitise and escape
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36853
GHSA-6hjw-x58g-gmf7