Description
The Maspik plugin for WordPress is vulnerable to Missing Authorization in version 2.5.6 and prior. This is due to missing capability checks on the Maspik_spamlog_download_csv function. This makes it possible for authenticated attackers, with subscriber-level access and above, to export and download the spam log database containing blocked submission attempts, which may include misclassified but legitimate submissions with sensitive data.
Published: 2025-09-10
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized export of spam logs that may contain sensitive submission data
Action: Upgrade plugin
AI Analysis

Impact

The Maspik plugin for WordPress lacks a capability check in its spam‑log export function, allowing a logged‑in user with subscriber level or higher to download a CSV file that contains all recorded spam attempts. If legitimate submissions were mistakenly flagged as spam, the exported data could include sensitive user information, creating a confidentiality breach rather than a denial‑of‑service or code‑execution scenario.

Affected Systems

All releases of Maspik – Ultimate Spam Protection version 2.5.6 or earlier are affected. The vulnerability operates within the WordPress plugin framework and can be triggered by any authenticated user who has at least subscriber privileges. Versions newer than 2.5.6 incorporate the missing authorization check and are not susceptible.

Risk and Exploitability

The CVSS score of 4.3 indicates medium severity. An attacker only needs an existing subscriber‑level account and knowledge of the export endpoint; no additional privileges or remote code execution are required. The EPSS score is below 1%, suggesting low current exploitation likelihood, and the vulnerability is not listed in the CISA KEV catalog. Despite its low exploitation probability, the potential to exfiltrate sensitive data warrants prompt attention, and monitoring for unauthorized export attempts is advisable.

Generated by OpenCVE AI on April 21, 2026 at 19:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Maspik plugin update (2.5.7 or newer) to restore proper authorization checks.
  • If an update cannot be applied immediately, modify the plugin to remove or disable the Maspik_spamlog_download_csv endpoint so that only users with higher capabilities can trigger it.
  • After resolving the issue, securely delete or archive any previously exported spam log files to eliminate lingering exposure of sensitive data.

Generated by OpenCVE AI on April 21, 2026 at 19:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Thu, 11 Sep 2025 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 10 Sep 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Sep 2025 06:45:00 +0000

Type Values Removed Values Added
Description The Maspik plugin for WordPress is vulnerable to Missing Authorization in version 2.5.6 and prior. This is due to missing capability checks on the Maspik_spamlog_download_csv function. This makes it possible for authenticated attackers, with subscriber-level access and above, to export and download the spam log database containing blocked submission attempts, which may include misclassified but legitimate submissions with sensitive data.
Title Maspik <= 2.5.6 - Authenticated (Subscriber+) Missing Authorization to Spam Log Export
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:03:16.663Z

Reserved: 2025-09-04T12:28:09.107Z

Link: CVE-2025-9979

cve-icon Vulnrichment

Updated: 2025-09-10T16:12:32.550Z

cve-icon NVD

Status : Deferred

Published: 2025-09-10T07:15:47.320

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9979

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:15:26Z

Weaknesses