Skip to main content

Stop Spammers CVE-2026-48876

| EUVDEUVD-2026-36853 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-6hjw-x58g-gmf7
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network-reachable WordPress plugin XSS, no auth needed (PR:N), victim must trigger payload (UI:R), script crosses plugin boundary into site context (S:C), partial CIA impact typical of XSS.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:46 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Stop Spammers <= 2026.3 versions.

AnalysisAI

Reflected/stored cross-site scripting in the WordPress plugin Stop Spammers (versions 2026.3 and earlier) allows unauthenticated remote attackers to inject malicious scripts that execute in a victim's browser when they interact with crafted content. The flaw carries a CVSS 3.1 base score of 7.1 due to scope change (S:C), and no public exploit identified at time of analysis, though Patchstack has catalogued the issue in its WordPress vulnerability database.

Technical ContextAI

Stop Spammers is a popular WordPress plugin (vendor identifier 'web_guy') designed to block spam comments, registrations, and login attempts. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning the plugin renders attacker-controlled input into HTML without sufficient encoding or sanitization. Because WordPress plugins typically run within the wp-admin or theme rendering pipeline, an XSS payload executes with the privileges of whichever user views the affected page, enabling session theft, admin account hijacking, or arbitrary administrative actions via forged requests. The CPE 'cpe:2.3:a:web_guy:stop_spammers:*' indicates all versions through 2026.3 are in scope.

RemediationAI

Patch available per vendor advisory - upgrade Stop Spammers to a version newer than 2026.3 as published on the WordPress plugin repository, consulting Patchstack's advisory at https://patchstack.com/database/wordpress/plugin/stop-spammer-registrations-plugin/vulnerability/wordpress-stop-spammers-plugin-2026-3-cross-site-scripting-xss-vulnerability for the exact fixed version. Until upgrade is possible, deploy a WordPress-aware WAF (Patchstack, Wordfence, or equivalent) with virtual-patching rules for this CVE, which will filter the offending parameters at the edge with negligible site impact. If neither option is viable, temporarily deactivate the Stop Spammers plugin - the trade-off is loss of spam-blocking functionality and a likely surge in registration/comment spam, so pair it with native WordPress comment moderation and reCAPTCHA on registration forms.

Share

CVE-2026-48876 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy