Trivial comment spam bypass – (All in One WP security <= 5.0.7)

Affected pluginAll In One WP Security & Firewall
Active installs1+ million
Vulnerable version<= 5.0.7
Audited version5.0.7
Fully patched version5.1.9
Recommended remediationUpgrade to version 5.1.9 or higher.


The plugin relies on “.htaccess files” to block comment spam, which will not work on NGINX servers and can be trivially bypassed through header spoofing.

Proof of concept

The plugin will generate the following rewrite rules in the “.htaccess” file:

# BEGIN All In One WP Security
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^(.*)?wp-comments-post\.php(.*)$
RewriteCond %{HTTP_REFERER} !^http(s)?://site\.test [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule .* [L]

Any bot can trivially bypass this by spoofing the referrer header:

curl -s -I -X  POST https://site.test/wp-comments-post.php -H "Referer: https://site.test"

Proposed patch

Don’t rely on “.htaccess” files in distributed plugins.


Vendor contactedSeptember 10, 2022
First ResponseSeptember 12, 2022
Fully patched atMay 09, 2023
Publicly disclosedApril 24, 2023


2 responses

  1. indigetal

    This is fixed as of version 5.1.9 that was released May 9, 2023

    1. Thanks,

      We’ll mark this as fixed, as it seems that now a preloaded PHP firewall/rule system is used.

      We won’t evaluate the effectiveness of that system due to time constraints and because comment spam detection is “subjective” to a certain degree.

Leave a Reply

Your email address will not be published. Required fields are marked *