CVE-2024-12554

The Peter’s Custom Anti-Spam plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 3.2.3. This is due to missing nonce validation on the cas_register_post() function, which processes requests to blacklist emails.

An unauthenticated attacker can exploit this by crafting a malicious request that, when triggered by an authenticated administrator (e.g., via a link), causes the plugin to blacklist specified email addresses. The attacker does not need any authentication but must trick a site admin into performing an action such as clicking a link.

Successful exploitation allows an attacker to blacklist arbitrary email addresses from the plugin’s settings, potentially blocking legitimate users from interacting with the site. This is a medium-severity CSRF vulnerability that could be used to disrupt site functionality.

The vulnerability has been patched in version 3.2.4, released on 2024-12-16, which adds proper nonce validation. Users are strongly advised to update to this latest version to mitigate the risk [1].