What the vulnerability does
01Description
The Maspik plugin for WordPress is vulnerable to Missing Authorization in version 2.5.6 and prior. This is due to missing capability checks on the Maspik_spamlog_download_csv function. This makes it possible for authenticated attackers, with subscriber-level access and above, to export and download the spam log database containing blocked submission attempts, which may include misclassified but legitimate submissions with sensitive data.
Explanation of Vulnerability in Simple Terms
02Summary
Maspik – Ultimate Spam Protection versions 2.5.6 and earlier lack proper authorization checks, allowing authenticated users to access sensitive information they should not be able to view. An attacker with a low-privilege account can read data that should be restricted to administrators or other users. Update to a version newer than 2.5.6 to resolve this issue.
What an attacker can do
03Attacker Capabilities
Read sensitive information restricted to higher-privilege users.
Potential impact on your site
04Site Impact
User data and admin information may be exposed to any authenticated account holder.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege account on the site.
Key dates
06Disclosure timeline
September 10, 2025
CVE published
April 8, 2026
Record updated