CVE-2025-2935: 
WordPress vulnerability analysis and mitigation

The Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 2024.7. This vulnerability was discovered and reported by Wordfence, with disclosure on June 6, 2025 (NVD).

The vulnerability stems from missing or incorrect nonce validation in the 'ssoptionmaint.php' and 'ssuserfilter_list' files. The CVSS v3.1 base score is 5.4 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N, indicating network accessibility, low attack complexity, no privileges required, and user interaction required (Wordfence).

The vulnerability allows unauthenticated attackers to perform two unauthorized actions if they can trick a site administrator into clicking a malicious link: 1) delete pending comments, and 2) re-enable previously blocked users. This could lead to potential spam management disruption and compromise of the site's anti-spam measures (NVD).

Site administrators should update the Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms plugin to a version newer than 2024.7 once available. Until then, administrators should be particularly cautious about clicking links while logged into their WordPress admin accounts (NVD).