CVE-2025-15376 Overview
The Stopwords for comments plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability affecting all versions up to and including 1.1. The vulnerability exists due to missing nonce validation on the set_stopwords_for_comments and delete_stopwords_for_comments functions. This security flaw enables unauthenticated attackers to add or delete stopwords through a forged request if they can successfully trick a site administrator into performing an action such as clicking on a malicious link.
Critical Impact
Unauthenticated attackers can manipulate comment stopword configurations by exploiting missing CSRF protections, potentially disrupting site comment moderation functionality.
Affected Products
- WordPress Stopwords for comments plugin versions up to and including 1.1
Discovery Timeline
- 2026-01-14 - CVE CVE-2025-15376 published to NVD
- 2026-01-14 - Last updated in NVD database
Technical Details for CVE-2025-15376
Vulnerability Analysis
This vulnerability is classified as CWE-352 (Cross-Site Request Forgery). The core issue lies in the absence of nonce verification within the plugin's administrative functions. WordPress provides built-in nonce functionality to protect against CSRF attacks, but the affected plugin fails to implement these protections in the set_stopwords_for_comments and delete_stopwords_for_comments functions.
Without proper nonce validation, the plugin cannot verify that requests to modify stopword settings originated from legitimate administrative actions within the WordPress dashboard. This allows attackers to craft malicious requests that, when executed in the context of an authenticated administrator's browser session, will be processed as legitimate.
Root Cause
The root cause is the missing nonce validation in the plugin's administrative functions. WordPress requires plugins to verify nonces using functions like wp_verify_nonce() or check_admin_referer() to ensure that form submissions and AJAX requests originate from authorized sources. The set_stopwords_for_comments and delete_stopwords_for_comments functions in functions.php lack these security checks, leaving them vulnerable to forged cross-site requests.
Attack Vector
The attack requires user interaction—specifically, an authenticated administrator must be tricked into visiting a malicious page or clicking a crafted link. The attacker constructs a request targeting the vulnerable plugin functions and hosts it on a controlled page or embeds it in a phishing email. When the administrator's browser executes the request while their WordPress session is active, the plugin processes the forged request as legitimate, allowing the attacker to add or delete stopwords from the comment moderation system.
The vulnerability mechanism involves crafting HTTP requests to the vulnerable WordPress plugin endpoints. When an administrator clicks a malicious link while authenticated, their browser automatically includes session cookies, causing the plugin to process the forged request. Technical details are available in the WordPress Plugin Code and the Wordfence Vulnerability Report.
Detection Methods for CVE-2025-15376
Indicators of Compromise
- Unexpected changes to stopword lists in the WordPress comment moderation settings
- Unusual HTTP POST requests to WordPress admin endpoints associated with the Stopwords for comments plugin
- Administrator accounts showing suspicious activity patterns, especially following external link clicks
Detection Strategies
- Monitor WordPress audit logs for changes to plugin settings by administrators that cannot be correlated with legitimate dashboard sessions
- Implement web application firewall (WAF) rules to detect and block suspicious cross-site request patterns targeting WordPress admin functions
- Review server access logs for POST requests to stopword-related endpoints from suspicious referrer URLs
Monitoring Recommendations
- Enable comprehensive logging of all WordPress administrative actions, particularly plugin setting modifications
- Configure alerts for bulk changes to comment moderation settings
- Implement browser-based security headers like Content-Security-Policy to reduce CSRF attack surface
How to Mitigate CVE-2025-15376
Immediate Actions Required
- Update the Stopwords for comments plugin to a version that includes proper nonce validation (if available)
- Consider temporarily disabling the plugin until a patched version is released
- Review and audit recent changes to comment stopword configurations for unauthorized modifications
- Educate site administrators about the risks of clicking unknown links while logged into WordPress
Patch Information
A patch addressing this CSRF vulnerability should implement proper WordPress nonce verification in the set_stopwords_for_comments and delete_stopwords_for_comments functions. Check the WordPress Plugin Repository for updated versions. Refer to the Wordfence Vulnerability Report for the latest mitigation guidance.
Workarounds
- Implement a Web Application Firewall (WAF) with CSRF protection rules to filter potentially malicious requests
- Use browser extensions or policies that restrict automatic form submissions from external sites
- Limit administrative access to trusted IP addresses using .htaccess or server-level firewall rules
# Example .htaccess configuration to restrict wp-admin access
<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24
Allow from 10.0.0.0/8
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
