Cyber Resilience

CVE-2025-28872

Medium

Published: 11 March 2025

Published
11 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0011 29.2th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-28872 is a medium-severity Missing Authorization (CWE-862) vulnerability in Jwpegram Block Spam By Math Reloaded. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-28872 is a missing authorization vulnerability (CWE-862) in the Block Spam By Math Reloaded WordPress plugin by jwpegram. The flaw allows accessing functionality not properly constrained by access control lists (ACLs) and affects all versions of the plugin up to and including 2.2.4.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. Exploitation leads to a low-impact denial of service, consistent with the CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

The Patchstack advisory provides details on this broken access control vulnerability in Block Spam By Math Reloaded version 2.2.4; security practitioners should consult https://patchstack.com/database/Wordpress/Plugin/block-spam-by-math-reloaded/vulnerability/wordpress-block-spam-by-math-reloaded-plugin-2-2-4-broken-access-control-vulnerability?_s_id=cve for mitigation guidance.

EU & UK References

Vulnerability details

Missing Authorization vulnerability in jwpegram Block Spam By Math Reloaded block-spam-by-math-reloaded allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Block Spam By Math Reloaded: from n/a through <= 2.2.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499 Endpoint Denial of Service Impact
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.
Why these techniques?

Missing authorization in public-facing WordPress plugin enables unauthenticated remote exploitation (T1190) leading directly to denial of service impact (T1499).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-13654Shared CWE-862
CVE-2025-22800Shared CWE-862
CVE-2025-7040Shared CWE-862
CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862
CVE-2026-42083Shared CWE-862
CVE-2026-0656Shared CWE-862
CVE-2026-24532Shared CWE-862
CVE-2025-13603Shared CWE-862
CVE-2025-69063Shared CWE-862

Affected Assets

jwpegram
block spam by math reloaded
≤ 2.2.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to plugin functionality lacking proper ACL constraints, directly preventing unauthorized exploitation.

prevent

Applies least privilege to restrict access to the vulnerable plugin functions to only necessary authorized users or processes.

prevent

Mandates timely remediation of the specific missing authorization flaw in Block Spam By Math Reloaded versions up to 2.2.4.

References