CVE-2022-4120
Published: 26 December 2022
Summary
CVE-2022-4120 is a critical-severity an unspecified weakness vulnerability in Trumani Stop Spammers. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 8.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability affects the Stop Spammers Security WordPress plugin prior to version 2022.6. When CAPTCHA is configured as a second challenge, the plugin passes base64-encoded user input directly to PHP's unserialize() function, enabling PHP object injection if any other installed plugin supplies a usable gadget chain. The issue carries a CVSS 3.1 score of 9.8.
An unauthenticated remote attacker can supply a crafted serialized payload through the CAPTCHA flow and achieve arbitrary code execution, data compromise, or full site takeover on an affected WordPress installation. No authentication or user interaction is required.
The referenced WPScan advisory identifies the flaw and links it to the fixed release 2022.6. The EPSS score rose materially from a low baseline to a peak of 0.2247 on 2025-12-11 before receding to the current value of 0.0675, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-51487
Vulnerability details
The Stop Spammers Security | Block Spam Users, Comments, Forms WordPress plugin before 2022.6 passes base64 encoded user input to the unserialize() PHP function when CAPTCHA are used as second challenge, which could lead to PHP Object injection if a…
more
plugin installed on the blog has a suitable gadget chain
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.