{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9979", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-04T12:28:09.107Z", "datePublished": "2025-09-10T06:38:47.461Z", "dateUpdated": "2026-04-08T17:03:16.663Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:03:16.663Z"}, "affected": [{"vendor": "yonifre", "product": "Maspik \u2013 Ultimate Spam Protection", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.5.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Maspik plugin for WordPress is vulnerable to Missing Authorization in version 2.5.6 and prior. This is due to missing capability checks on the Maspik_spamlog_download_csv function. This makes it possible for authenticated attackers, with subscriber-level access and above, to export and download the spam log database containing blocked submission attempts, which may include misclassified but legitimate submissions with sensitive data."}], "title": "Maspik <= 2.5.6 - Authenticated (Subscriber+) Missing Authorization to Spam Log Export", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7ee68705-cbb3-44b8-8223-4cecd678bcab?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/contact-forms-anti-spam/trunk/includes/functions.php#L1482"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3357602%40contact-forms-anti-spam&new=3357602%40contact-forms-anti-spam&sfp_email=&sfph_mail="}, {"url": "https://research.cleantalk.org/cve-2025-9879/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2025-08-21T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-09-04T12:45:30.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-09-09T17:27:41.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-10T13:37:43.902320Z", "id": "CVE-2025-9979", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-10T16:12:35.377Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9979", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-10T13:37:43.902320Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-10T16:12:32.550Z"}}], "cna": {"title": "Maspik <= 2.5.6 - Authenticated (Subscriber+) Missing Authorization to Spam Log Export", "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "yonifre", "product": "Maspik \u2013 Ultimate Spam Protection", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.5.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-21T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-09-04T12:45:30.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-09-09T17:27:41.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7ee68705-cbb3-44b8-8223-4cecd678bcab?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/contact-forms-anti-spam/trunk/includes/functions.php#L1482"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3357602%40contact-forms-anti-spam&new=3357602%40contact-forms-anti-spam&sfp_email=&sfph_mail="}, {"url": "https://research.cleantalk.org/cve-2025-9879/"}], "descriptions": [{"lang": "en", "value": "The Maspik plugin for WordPress is vulnerable to Missing Authorization in version 2.5.6 and prior. This is due to missing capability checks on the Maspik_spamlog_download_csv function. This makes it possible for authenticated attackers, with subscriber-level access and above, to export and download the spam log database containing blocked submission attempts, which may include misclassified but legitimate submissions with sensitive data."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:03:16.663Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9979", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:03:16.663Z", "dateReserved": "2025-09-04T12:28:09.107Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-10T06:38:47.461Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Maspik plugin for WordPress is vulnerable to Missing Authorization in version 2.5.6 and prior. This is due to missing capability checks on the Maspik_spamlog_download_csv function. This makes it possible for authenticated attackers, with subscriber-level access and above, to export and download the spam log database containing blocked submission attempts, which may include misclassified but legitimate submissions with sensitive data."}], "id": "CVE-2025-9979", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-10T07:15:47.320", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/contact-forms-anti-spam/trunk/includes/functions.php#L1482"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3357602%40contact-forms-anti-spam&new=3357602%40contact-forms-anti-spam&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://research.cleantalk.org/cve-2025-9879/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7ee68705-cbb3-44b8-8223-4cecd678bcab?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T19:10:01.655122+00:00", "value": {"mitigation_remediation": ["Apply the latest Maspik plugin update (2.5.7 or newer) to restore proper authorization checks.", "If an update cannot be applied immediately, modify the plugin to remove or disable the Maspik_spamlog_download_csv endpoint so that only users with higher capabilities can trigger it.", "After resolving the issue, securely delete or archive any previously exported spam log files to eliminate lingering exposure of sensitive data."], "summary": {"action": "Upgrade plugin", "impact": "Unauthorized export of spam logs that may contain sensitive submission data"}, "threat_synthesis": {"affected_systems": "All releases of Maspik \u2013 Ultimate Spam Protection version 2.5.6 or earlier are affected. The vulnerability operates within the WordPress plugin framework and can be triggered by any authenticated user who has at least subscriber privileges. Versions newer than 2.5.6 incorporate the missing authorization check and are not susceptible.", "description_and_impact": "The Maspik plugin for WordPress lacks a capability check in its spam\u2011log export function, allowing a logged\u2011in user with subscriber level or higher to download a CSV file that contains all recorded spam attempts. If legitimate submissions were mistakenly flagged as spam, the exported data could include sensitive user information, creating a confidentiality breach rather than a denial\u2011of\u2011service or code\u2011execution scenario.", "risk_and_exploitability": "The CVSS score of 4.3 indicates medium severity. An attacker only needs an existing subscriber\u2011level account and knowledge of the export endpoint; no additional privileges or remote code execution are required. The EPSS score is below 1%, suggesting low current exploitation likelihood, and the vulnerability is not listed in the CISA KEV catalog. Despite its low exploitation probability, the potential to exfiltrate sensitive data warrants prompt attention, and monitoring for unauthorized export attempts is advisable."}}}}, "created": "2025-09-11T10:42:50.901353+00:00", "updated": "2026-04-21T19:15:26.038165+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}