We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

WordPress Security Bulletin: Dam Spam Plugin Vulnerability (CVE-2026-2112)

Nick Paliughi
On this page

Security Alert Summary

The Dam Spam plugin for WordPress contains a Cross-Site Request Forgery (CWE-352) vulnerability that affects all versions up to and including 1.0.8. The issue is caused by missing nonce verification on the pending comment deletion action in the plugin’s cleanup page, which could allow an attacker to cause an administrator to delete all pending comments by tricking them into performing an action such as clicking a link.

CVE Details

  • CVE ID: CVE-2026-2112
  • Affected component: Dam Spam plugin for WordPress
  • Affected versions: All versions up to, and including, 1.0.8
  • Patched / fixed version: Not specified in the CVE entry
  • Published: February 18, 2026 at 8:16:15 AM
  • Last modified: February 18, 2026 at 8:16:15 AM
  • CVSS v3.1:
    • Base score: 4.3
    • Severity: MEDIUM
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
  • Authentication / privileges / user interaction:
    • Privileges required: NONE (no authentication required)
    • User interaction: REQUIRED (an admin must be tricked into taking an action)
  • Primary impact:
    • Confidentiality: NONE
    • Integrity: LOW (deletion of pending comments)
    • Availability: NONE
  • CWE / weakness ID: CWE-352

Technical Details

The vulnerability is a Cross-Site Request Forgery (CSRF) issue caused by missing nonce verification on the pending comment deletion action in the plugin’s cleanup page. Because the cleanup action does not verify a WordPress nonce, an attacker can craft a forged request that triggers the pending comment deletion when an administrator performs a simple action (for example, clicking a link).

The CVE description and provided references point to the settings/cleanup.php implementation (see references) and specifically a call-site referenced at line 92 in that file in the repository and plugin sources. The absence of nonce checks on the pending comment deletion flow is the direct cause of the vulnerability.

Impact is limited to the ability to delete pending comments (integrity impact). The CVE does not indicate data disclosure, remote code execution, or availability impacts beyond that deletion behavior.

How This Could Impact Your Website

Consider a typical site with an owner, a few internal staff members who moderate comments, and an external contractor who contributes content. If an attacker lures an administrator or a user with comment-moderation capabilities into clicking a specially crafted link or visiting a page designed to submit the forged request, the pending comments queue could be cleared without the moderator’s intent. This can disrupt moderation workflows, remove legitimate pending feedback, and create administrative overhead to recover or repost moderated comments.

Because the CVE indicates no confidentiality impact, there is no indication from this entry that private user data would be exposed as a result of this vulnerability. However, deletion of moderation trails and comments can impede audits and record-keeping.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles and capabilities, especially users who can moderate comments.
  • Enforce strong passwords and two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site activity and moderation logs for unusual behavior or unexpected bulk deletions.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WordPress Security Bulletin: PDF Invoices & Packing Slips for WooCommerce plugin (CVE-2026-1906)
Next Post
WordPress Security Bulletin: User Submitted Posts 6 Enable Users to Submit Posts from the Front End (CVE-2026-2126)