CVE-2026-48876

Vulnerability

The Stop Spammers plugin for WordPress versions 2026.3 and earlier contains an unauthenticated Cross-Site Scripting (XSS) vulnerability. An attacker can inject arbitrary JavaScript or HTML without requiring authentication, as described in the Patchstack advisory [1]. The flaw resides in an input field that is not properly sanitized before being stored and later displayed to an administrator.

Exploitation

An attacker with network access to the target WordPress site can send a crafted request containing malicious script code. No authentication is needed to inject the payload. However, successful execution of the injected script requires a privileged user (e.g., an administrator) to perform an action such as clicking a link, visiting a crafted page, or submitting a form that renders the stored payload [1]. User interaction from a victim with administrative privileges is essential for the attack to succeed.

Impact

If an administrator triggers the stored payload, the attacker can execute arbitrary JavaScript in the context of the victim's browser. This can lead to actions such as redirecting visitors to malicious sites, displaying unauthorized advertisements, or performing other HTML/script injection attacks that affect the WordPress admin interface and potentially compromise the site's integrity and confidentiality [1].

Mitigation

The vendor released version 2026.4 which resolves the vulnerability. Users are advised to update the Stop Spammers plugin to version 2026.4 or later immediately [1]. If an immediate update is not possible, Patchstack provides a virtual mitigation rule that blocks exploit attempts until the plugin is patched.