CVE-2025-9979

Vulnerability

Description CVE-2025-9979 is a missing authorization vulnerability in the Maspik WordPress plugin, affecting versions 2.5.6 and prior. The plugin records spam submissions in the wp_maspik_spam_logs table, storing sensitive data such as email addresses, IPs, user agents, and country information. The vulnerability stems from the lack of capability checks on the Maspik_spamlog_download_csv function, which is registered via admin_post and is used to export the spam log as a CSV file [1].

Exploitation

Any authenticated user with at least subscriber-level privileges can exploit this vulnerability. The attacker simply accesses the CSV export endpoint directly; the endpoint lacks both check_admin_referer() for CSRF protection and current_user_can() for authorization checks. No special permissions or nonces are required [1].

Impact

A successful exploit allows the attacker to download the entire spam log database, which includes all blocked submission attempts. While the plugin blocks spam, legitimate submissions may be misclassified and recorded, exposing potentially sensitive user data. This information could be used for phishing campaigns, identity theft, or further targeted attacks [1].

Mitigation

The vulnerability was reported to the plugin author on August 22, 2025, and a proof of concept was published on October 9, 2025. The vendor has not yet released a patched version, but users are advised to update the plugin once a fix becomes available or to restrict access to the export endpoint until then [1].