CVE-2025-9979 MEDIUM

CVE-2025-9979: Maspik <= 2.5.6 - Authenticated (Subscriber+) Missing Authorization to Spam Log Export

Vendor Yonifre
Product Maspik – Ultimate Spam Protection
Weakness CWE-862 · Missing authorization
Published September 10, 2025
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The Maspik plugin for WordPress is vulnerable to Missing Authorization in version 2.5.6 and prior. This is due to missing capability checks on the Maspik_spamlog_download_csv function. This makes it possible for authenticated attackers, with subscriber-level access and above, to export and download the spam log database containing blocked submission attempts, which may include misclassified but legitimate submissions with sensitive data.

Explanation of Vulnerability in Simple Terms

02Summary

Maspik – Ultimate Spam Protection versions 2.5.6 and earlier lack proper authorization checks, allowing authenticated users to access sensitive information they should not be able to view. An attacker with a low-privilege account can read data that should be restricted to administrators or other users. Update to a version newer than 2.5.6 to resolve this issue.

What an attacker can do

03Attacker Capabilities

Read sensitive information restricted to higher-privilege users.

Potential impact on your site

04Site Impact

User data and admin information may be exposed to any authenticated account holder.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege account on the site.

Key dates

06Disclosure timeline

September 10, 2025 CVE published
April 8, 2026 Record updated

Related vulnerabilities

08Related CVE