GHSA-W22Q-M2FM-X9F4 phpMyFAQ Allows Unauthenticated Account Creation via WebAuthn Prepare Endpoint

Summary The WebAuthn prepare endpoint /api/webauthn/prepare creates new active user accounts without any authentication, CSRF protection, CAPTCHA, or configuration checks. This allows unauthenticated attackers to create unlimited user accounts even when registration is disabled. Details File:...

WordPress OOPSpam Anti-Spam plugin IP Header Forgery Vulnerability

WordPress OOPSpam Anti-Spam plugin is an anti-spam plugin designed for WordPress that protects forms and comments from spam through AI and machine learning techniques without the use of CAPTCHA validation. The WordPress OOPSpam Anti-Spam plugin suffers from an IP header forgery vulnerability that...

CVE-2025-12094 OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) <= 1.2.53 - Unauthenticated IP Header Spoofing

The OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments No CAPTCHA plugin for WordPress is vulnerable to IP Header Spoofing in all versions up to, and including, 1.2.53. This is due to the plugin trusting client-controlled forwarded headers such as CF-Connecting-IP, X-Forwarded-For,...