CVE-2025-9888

The Maspik – Ultimate Spam Protection plugin for WordPress, installed on over 30,000 sites, logs spam submissions from contact forms and checkout pages in the wp_maspik_spam_logs table. The plugin's administrative interface includes a “Clear Logs” button that submits a POST request to wp-admin/admin.php?page=maspik-log.php with the parameter clear_log=1. Researchers discovered that this function unconditionally processes the request, deleting all rows from the log table, without performing any nonce validation or capability check [1]. This means the function does not verify that the current user is authorized to perform such an action.

This missing authorization makes the function vulnerable to Cross-Site Request Forgery (CSRF). An unauthenticated attacker can craft a malicious website or email that, when visited by a logged-in site administrator, forges a request to the plugin's clear_log function. Because the request appears to come from the administrator's browser, the plugin processes it as legitimate, deleting all spam logs [1]. The attack requires no authentication from the attacker and no additional privileges beyond tricking an administrator into clicking a link or loading a crafted page.

The impact of successful exploitation is the complete loss of all recorded spam entries. This disrupts site monitoring and forensics, as administrators lose visibility into past spam activity. Additionally, an attacker could use this to cover traces of other malicious actions, such as successful spam submissions or other attacks that were logged [1]. The vulnerability affects all versions of the plugin up to and including 2.5.6.

The plugin vendor has been notified and a fix is expected. As of the publication date, users should apply any available update to version 2.5.7 or later, or implement additional CSRF protections such as using WordPress's built-in nonce functions on the clear_log handler [1]. No active exploitation in the wild has been reported at the time of disclosure.