CVE-2025-9979
Maspik <= 2.5.6 - Authenticated (Subscriber+) Missing Authorization to Spam Log Export
The Maspik plugin for WordPress is vulnerable to Missing Authorization in version 2.5.6 and prior. This is due to missing capability checks on the Maspik_spamlog_download_csv function. This makes it possible for authenticated attackers, with subscriber-level access and above, to export and download the spam log database containing blocked submission attempts, which may include misclassified but legitimate submissions with sensitive data.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Produtos afetados
yonifre · Maspik – Ultimate Spam ProtectionQuer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →Referências
https://plugins.trac.wordpress.org/browser/contact-forms-anti-spam/trunk/includes/functions.php#L1482https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3357602%40contact-forms-anti-spam&new=3357602%40contact-forms-anti-spam&sfp_email=&sfph_mail=https://research.cleantalk.org/cve-2025-9879/https://www.wordfence.com/threat-intel/vulnerabilities/id/7ee68705-cbb3-44b8-8223-4cecd678bcab?source=cve