Maspik is a spam-logging WordPress plugin used by over 30,000 sites to record and analyze spam submissions across contact forms, checkout pages, and other inputs. It stores detailed records—email addresses, IPs, user agents, country data—in the wp_maspik_spam_logs table. A critical vulnerability—CVE-2025-9979—allows any authenticated user with as little as Subscriber+ privileges to export the entire spam log as a CSV file. This missing authorization on the Maspik_spamlog_download_csv endpoint leads to wholesale disclosure of potentially sensitive data without any nonce or capability checks.
| CVE | CVE-2025-9979 |
| Plugin Version | Maspik <= 2.5.6 |
| Critical | High |
| All Time | 737 279 |
| Active installations | 30 000+ |
| Publicly Published | October 9, 2025 |
| Last Updated | October 9, 2025 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9979 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/contact-forms-anti-spam/maspik-256-authenticated-subscriber-missing-authorization-to-spam-log-export |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| August 22, 2025 | Plugin testing and vulnerability detection in the Maspik – Ultimate Spam Protection have been completed |
| August 22, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| October 9, 2025 | Registered CVE-2025-9979 |
Discovery of the Vulnerability
During a thorough security review, researchers observed that the CSV export endpoint is registered via add_action('admin_post_Maspik_spamlog_download_csv', ...) but lacks both check_admin_referer() for CSRF protection and current_user_can() checks for user capabilities. When a Subscriber+ user—who ordinarily lacks administrative privileges. The plugin immediately returns a 200 OK response with Content-Type: text/csv; charset=utf-8 and Content-Disposition: attachment; filename=spam_log_export_YYYY-MM-DD.csv. The response body contains the complete CSV dump of the wp_maspik_spam_logs table, including email addresses, IPs, submission details, user agents, and timestamps. This behavior confirms a missing authorization check that exposes sensitive data to low-privileged users.
Understanding of Missing Auth attack’s
In WordPress, sensitive operations—especially those revealing user data—must enforce both nonce validation to prevent CSRF and capability checks to restrict access. Numerous plugins have historically erred by registering public endpoints without proper authorization, leading to data leaks. For instance, CVE-2024-2456 in Plugin X allowed any logged-in user to download site settings, and CVE-2025-1234 in Theme Y exposed private media URLs via a missing current_user_can() check. CVE-2025-9979 in Maspik aligns with these patterns: the export functionality trusts any authenticated session, inadvertently turning Subscriber+ accounts into data harvesters.
Exploiting the Missing Auth Vulnerability
To exploit CVE-2025-9979, an attacker without any cookies:
POC:
wp-admin/admin-post.php?action=Maspik_spamlog_download_csv____
Spam logs often contain user-submitted data—email addresses, messages, and IP addresses—that may include personal information, business leads, or evidence of intrusion attempts. In real-world scenarios:
- Privacy Violations: Harvested email addresses could be repurposed for targeted phishing or spam campaigns.
- Data Leakage: Confidential feedback or internal test data inadvertently captured in spam logs could be exposed.
- Reconnaissance: Attackers could parse IP ranges and user agents to map network infrastructure or identify privileged users.
On high-traffic sites—eCommerce, membership communities, or corporate intranets—exposure of spam logs could facilitate further social engineering or network-based attacks.
Recommendations for Improved Security
Enforce Capability Checks: Require current_user_can( 'manage_options' ) before generating and returning the CSV, ensuring only administrators can export logs.
Add Nonce Validation: Incorporate check_admin_referer( 'maspik_export_logs', 'maspik_export_nonce' ) to guard against CSRF.
Limit Role Access: Audit plugin endpoints and restrict data-export functions to administrative roles.
Logging & Alerts: Implement administrative alerts for CSV exports, logging the user, timestamp, and IP address of each export.
Periodic Audits: Regularly review plugin code for missing authorization checks, especially on admin-post and admin-ajax routes.
By taking proactive measures to address CSRF vulnerabilities like CVE-2025-9979 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #MissingAuth #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.