cnvd - cnvd-2025-21264

CNVD-2025-21264

Vulnerability from cnvd - Published: 2025-09-15

Title

WordPress Maspik plugin授权问题漏洞

Description

WordPress Maspik plugin是WordPress的一款反垃圾邮件插件，主要用于保护网站联系表单、评论区域和注册表单免受垃圾邮件侵扰。 WordPress Maspik plugin存在授权问题漏洞，该漏洞源于函数Maspik_spamlog_download_csv缺少能力检查，攻击者可利用该漏洞导致未授权访问。

Severity

中

Patch Name

WordPress Maspik plugin授权问题漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级程序修复该安全问题，详情见厂商官网： https://wordpress.org/plugins/contact-forms-anti-spam

Reference

https://plugins.trac.wordpress.org/browser/contact-forms-anti-spam/trunk/includes/functions.php#L1482

Impacted products

Name
WordPress Maspik plugin <=2.5.6

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-9979",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-9979"
    }
  },
  "description": "WordPress Maspik plugin\u662fWordPress\u7684\u4e00\u6b3e\u53cd\u5783\u573e\u90ae\u4ef6\u63d2\u4ef6\uff0c\u4e3b\u8981\u7528\u4e8e\u4fdd\u62a4\u7f51\u7ad9\u8054\u7cfb\u8868\u5355\u3001\u8bc4\u8bba\u533a\u57df\u548c\u6ce8\u518c\u8868\u5355\u514d\u53d7\u5783\u573e\u90ae\u4ef6\u4fb5\u6270\u3002\n\nWordPress Maspik plugin\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u51fd\u6570Maspik_spamlog_download_csv\u7f3a\u5c11\u80fd\u529b\u68c0\u67e5\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u672a\u6388\u6743\u8bbf\u95ee\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u7a0b\u5e8f\u4fee\u590d\u8be5\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u89c1\u5382\u5546\u5b98\u7f51\uff1a\r\nhttps://wordpress.org/plugins/contact-forms-anti-spam",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-21264",
  "openTime": "2025-09-15",
  "patchDescription": "WordPress Maspik plugin\u662fWordPress\u7684\u4e00\u6b3e\u53cd\u5783\u573e\u90ae\u4ef6\u63d2\u4ef6\uff0c\u4e3b\u8981\u7528\u4e8e\u4fdd\u62a4\u7f51\u7ad9\u8054\u7cfb\u8868\u5355\u3001\u8bc4\u8bba\u533a\u57df\u548c\u6ce8\u518c\u8868\u5355\u514d\u53d7\u5783\u573e\u90ae\u4ef6\u4fb5\u6270\u3002\r\n\r\nWordPress Maspik plugin\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u51fd\u6570Maspik_spamlog_download_csv\u7f3a\u5c11\u80fd\u529b\u68c0\u67e5\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u672a\u6388\u6743\u8bbf\u95ee\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "WordPress Maspik plugin\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "WordPress Maspik plugin \u003c=2.5.6"
  },
  "referenceLink": "https://plugins.trac.wordpress.org/browser/contact-forms-anti-spam/trunk/includes/functions.php#L1482",
  "serverity": "\u4e2d",
  "submitTime": "2025-09-12",
  "title": "WordPress Maspik plugin\u6388\u6743\u95ee\u9898\u6f0f\u6d1e"
}

CVE-2025-9979 (GCVE-0-2025-9979)

Vulnerability from cvelistv5 – Published: 2025-09-10 06:38 – Updated: 2025-09-10 16:12

Title

Maspik <= 2.5.6 - Authenticated (Subscriber+) Missing Authorization to Spam Log Export

Summary

The Maspik plugin for WordPress is vulnerable to Missing Authorization in version 2.5.6 and prior. This is due to missing capability checks on the Maspik_spamlog_download_csv function. This makes it possible for authenticated attackers, with subscriber-level access and above, to export and download the spam log database containing blocked submission attempts, which may include misclassified but legitimate submissions with sensitive data.

Severity ?

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-862 - Missing Authorization

Assigner

Wordfence

References

URL

Tags

	https://www.wordfence.com/threat-intel/vulnerabil…
	https://plugins.trac.wordpress.org/browser/contac…
	https://plugins.trac.wordpress.org/changeset?sfp_…

Impacted products

	Vendor	Product	Version
	yonifre	Maspik – Ultimate Spam Protection	Affected: * , ≤ 2.5.6 (semver)

Credits

Dmitrii Ignatyev

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-9979",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-10T13:37:43.902320Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-10T16:12:35.377Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Maspik \u2013 Ultimate Spam Protection",
          "vendor": "yonifre",
          "versions": [
            {
              "lessThanOrEqual": "2.5.6",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Dmitrii Ignatyev"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Maspik plugin for WordPress is vulnerable to Missing Authorization in version 2.5.6 and prior. This is due to missing capability checks on the Maspik_spamlog_download_csv function. This makes it possible for authenticated attackers, with subscriber-level access and above, to export and download the spam log database containing blocked submission attempts, which may include misclassified but legitimate submissions with sensitive data."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-10T06:38:47.461Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7ee68705-cbb3-44b8-8223-4cecd678bcab?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/contact-forms-anti-spam/trunk/includes/functions.php#L1482"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3357602%40contact-forms-anti-spam\u0026new=3357602%40contact-forms-anti-spam\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-08-21T00:00:00.000+00:00",
          "value": "Discovered"
        },
        {
          "lang": "en",
          "time": "2025-09-04T12:45:30.000+00:00",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2025-09-09T17:27:41.000+00:00",
          "value": "Disclosed"
        }
      ],
      "title": "Maspik \u003c= 2.5.6 - Authenticated (Subscriber+) Missing Authorization to Spam Log Export"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-9979",
    "datePublished": "2025-09-10T06:38:47.461Z",
    "dateReserved": "2025-09-04T12:28:09.107Z",
    "dateUpdated": "2025-09-10T16:12:35.377Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2025-21264

CVE-2025-9979 (GCVE-0-2025-9979)

Tags

Sightings

Nomenclature