Throws SPAM Away < 3.3.1 - Comment Deletion via CSRF
Description
The Throws SPAM Away WordPress plugin before 3.3.1 does not have CSRF checks in place when deleting comments (either all, spam, or pending), allowing attackers to make a logged in admin delete comments via a CSRF attack
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<3.3.1+ 1 more
- (no CPE)range: <3.3.1
- (no CPE)range: <3.3.1
Patches
Vulnerability mechanics
Root cause
"Missing CSRF nonce checks on comment deletion actions allows cross-site request forgery."
Attack vector
An attacker crafts a malicious link or form that, when visited by a logged-in administrator, triggers a comment deletion request to the WordPress site running the vulnerable plugin. Because the plugin lacks CSRF nonce checks on its comment deletion endpoints, the browser automatically includes the admin's session cookies, making the request appear legitimate [CWE-352]. The attacker can force the deletion of all comments, spam comments, or pending comments without the admin's consent [ref_id=1].
Affected code
The advisory does not specify exact file paths or function names. The vulnerability exists in the comment deletion functionality of the Throws SPAM Away WordPress plugin, specifically the actions that handle deleting all comments, spam comments, or pending comments [ref_id=1].
What the fix does
The advisory states the vulnerability is fixed in version 3.3.1 of the Throws SPAM Away plugin [ref_id=1]. The patch is not included in the bundle, but based on the nature of the vulnerability, the fix likely adds CSRF nonce verification to the comment deletion actions, ensuring that requests originate from the legitimate admin interface rather than from an external attacker-controlled page.
Preconditions
- configThe target site must be running a version of Throws SPAM Away prior to 3.3.1
- authA WordPress administrator must be logged in and tricked into visiting an attacker-controlled page or link
- inputThe attacker must be able to craft a cross-site request (e.g., via a malicious link, form, or image tag) that targets the plugin's comment deletion endpoints
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/ac290535-d9ec-459a-abc3-27cd78eb54fcmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.