{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9888", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-02T22:26:18.813Z", "datePublished": "2025-09-10T06:38:49.964Z", "dateUpdated": "2026-04-08T17:18:07.135Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:07.135Z"}, "affected": [{"vendor": "yonifre", "product": "Maspik \u2013 Ultimate Spam Protection", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.5.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Maspik \u2013 Ultimate Spam Protection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.6. This is due to missing or incorrect nonce validation on the clear_log function. This makes it possible for unauthenticated attackers to clear all spam logs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Maspik <= 2.5.6 - Cross-Site Request Forgery", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b9b18739-67ed-4cb0-9577-eb60bc84bbeb?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/contact-forms-anti-spam/tags/2.5.5/admin/partials/maspik-log.php#L12"}, {"url": "https://research.cleantalk.org/CVE-2025-9888"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3357602%40contact-forms-anti-spam&new=3357602%40contact-forms-anti-spam&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2025-09-03T05:27:42.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-09-09T17:27:05.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-10T20:32:14.077727Z", "id": "CVE-2025-9888", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-10T20:32:22.942Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9888", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-10T20:32:14.077727Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-10T20:32:19.687Z"}}], "cna": {"title": "Maspik <= 2.5.6 - Cross-Site Request Forgery", "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "yonifre", "product": "Maspik \u2013 Ultimate Spam Protection", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.5.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-03T05:27:42.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-09-09T17:27:05.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b9b18739-67ed-4cb0-9577-eb60bc84bbeb?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/contact-forms-anti-spam/tags/2.5.5/admin/partials/maspik-log.php#L12"}, {"url": "https://research.cleantalk.org/CVE-2025-9888"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3357602%40contact-forms-anti-spam&new=3357602%40contact-forms-anti-spam&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Maspik \u2013 Ultimate Spam Protection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.6. This is due to missing or incorrect nonce validation on the clear_log function. This makes it possible for unauthenticated attackers to clear all spam logs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:07.135Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9888", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:18:07.135Z", "dateReserved": "2025-09-02T22:26:18.813Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-10T06:38:49.964Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Maspik \u2013 Ultimate Spam Protection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.6. This is due to missing or incorrect nonce validation on the clear_log function. This makes it possible for unauthenticated attackers to clear all spam logs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-9888", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-10T07:15:46.940", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/contact-forms-anti-spam/tags/2.5.5/admin/partials/maspik-log.php#L12"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3357602%40contact-forms-anti-spam&new=3357602%40contact-forms-anti-spam&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://research.cleantalk.org/CVE-2025-9888"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b9b18739-67ed-4cb0-9577-eb60bc84bbeb?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:52:53.954903+00:00", "value": {"mitigation_remediation": ["Check for and apply the latest Maspik release that fixes the CSRF issue.", "If an upgrade is not immediately possible, disable or restrict the clear_log capability so that only users with the highest privileges can invoke it, or remove the function entirely from the admin interface.", "Implement a CSRF protection layer or security plugin that enforces nonce checks on all state\u2011changing requests within WordPress.", "Educate administrators to detect and avoid suspicious links that could be used to trigger actions."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Request Forgery that allows unauthenticated users to clear all spam logs"}, "threat_synthesis": {"affected_systems": "The flaw affects versions up to and including 2.5.6 of the Maspik \u2013 Ultimate Spam Protection plugin. Systems running any of these releases with WordPress installations are susceptible; no other vendors or products are listed as affected in the available CNA data.", "description_and_impact": "The vulnerability resides in the Maspik \u2013 Ultimate Spam Protection WordPress plugin, specifically the clear_log function where nonce validation is absent or incorrect. This deficiency permits unauthenticated attackers to send a forged request that triggers log clearance. The result is loss of spam activity records, which can conceal malicious activity and disrupt monitoring and auditing efforts. The weakness is formally categorized as CWE\u2011352, representing inadequate protection against CSRF attacks.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity, while the EPSS score of less than 1% suggests a very low probability of exploitation at present. The vulnerability is not included in the CISA KEV catalog. Exploitation requires the attacker to trick a site administrator into submitting a forged request\u2014commonly via a malicious link\u2014making it a CSRF-based social engineering attack rather than a purely automated threat."}}}}, "created": "2025-09-11T10:42:50.261691+00:00", "updated": "2026-04-20T22:00:11.198068+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}