CVE-2025-9979

Maspik <= 2.5.6 - Authenticated (Subscriber+) Missing Authorization to Spam Log Export

CVSS 4.3 MEDIUMEPSS 0.2%CWE-862

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 4.3EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

10 sep 2025Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

The Maspik plugin for WordPress is vulnerable to Missing Authorization in version 2.5.6 and prior. This is due to missing capability checks on the Maspik_spamlog_download_csv function. This makes it possible for authenticated attackers, with subscriber-level access and above, to export and download the spam log database containing blocked submission attempts, which may include misclassified but legitimate submissions with sensitive data.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Productos afectados

yonifre · Maspik – Ultimate Spam Protection

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://plugins.trac.wordpress.org/browser/contact-forms-anti-spam/trunk/includes/functions.php#L1482 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3357602%40contact-forms-anti-spam&new=3357602%40contact-forms-anti-spam&sfp_email=&sfph_mail=https://research.cleantalk.org/cve-2025-9879/https://www.wordfence.com/threat-intel/vulnerabilities/id/7ee68705-cbb3-44b8-8223-4cecd678bcab?source=cve