CVE-2025-12094: 
WordPress vulnerability analysis and mitigation

The vulnerability identified as CVE-2025-12094 affects the OOPSpam Anti-Spam WordPress plugin (versions up to 1.2.53), which provides spam protection for WordPress forms and comments. The vulnerability was discovered and disclosed on October 30, 2025, by security researcher Jonas Benjamin Friedli (Rapid7, NVD).

The vulnerability is classified as a Protection Mechanism Failure (CWE-693) with a CVSS v3.1 Base Score of 5.3 (Medium). The technical issue stems from the plugin's improper handling of client-controlled forwarded headers, including CF-Connecting-IP and X-Forwarded-For, without proper verification of their legitimacy from trusted proxies (NVD).

The vulnerability allows unauthenticated attackers to bypass IP-based security controls, including blocked IP lists and rate limiting protections. This can be achieved by sending arbitrary HTTP headers with their requests, effectively compromising the plugin's security measures (NVD).

Users should update their OOPSpam Anti-Spam plugin to versions newer than 1.2.53 once available. The vulnerability has been documented in the WordPress plugin repository, indicating awareness of the issue (Wordfence).