CVE-2025-9888: 
WordPress vulnerability analysis and mitigation

The Maspik – Ultimate Spam Protection plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability (CVE-2025-9888) affecting all versions up to and including 2.5.6. The vulnerability was discovered on September 9, 2025, and publicly disclosed on September 10, 2025. The issue stems from missing or incorrect nonce validation in the clear_log function (NVD).

The vulnerability is classified as a Cross-Site Request Forgery (CWE-352) with a CVSS v3.1 Base Score of 4.3 (Medium). The attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), and has an unchanged scope (S:U). The impact affects only integrity (I:L) with no impact on confidentiality (C:N) or availability (A:N) (NVD).

If exploited, this vulnerability allows unauthenticated attackers to clear all spam logs by tricking a site administrator into performing an action, such as clicking on a malicious link. This could result in the loss of important spam monitoring data and potentially hide malicious activities (NVD).

The vulnerability has been patched in version 2.5.7 of the Maspik plugin, released on September 8, 2025. The update includes security fixes that prevent spam logs from being deleted by non-admin users. Users are advised to update to this version immediately (WordPress Changeset).