Cyber Posture

CVE-2025-28872

Medium

Published: 11 March 2025

Published
11 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0011 29.1th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-28872 is a medium-severity Missing Authorization (CWE-862) vulnerability in Jwpegram Block Spam By Math Reloaded. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for access to plugin functionality lacking proper ACL constraints, directly preventing unauthorized exploitation.

AC-6 Least Privilege partial match
prevent

Applies least privilege to restrict access to the vulnerable plugin functions to only necessary authorized users or processes.

SI-2 Flaw Remediation good match
prevent

Mandates timely remediation of the specific missing authorization flaw in Block Spam By Math Reloaded versions up to 2.2.4.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1499 Endpoint Denial of Service Impact
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.
attack.mitre.org →
Why these techniques?

Missing authorization in public-facing WordPress plugin enables unauthenticated remote exploitation (T1190) leading directly to denial of service impact (T1499).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Missing Authorization vulnerability in jwpegram Block Spam By Math Reloaded block-spam-by-math-reloaded allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Block Spam By Math Reloaded: from n/a through <= 2.2.4.

Deeper analysisAI

CVE-2025-28872 is a missing authorization vulnerability (CWE-862) in the Block Spam By Math Reloaded WordPress plugin by jwpegram. The flaw allows accessing functionality not properly constrained by access control lists (ACLs) and affects all versions of the plugin up to and including 2.2.4.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. Exploitation leads to a low-impact denial of service, consistent with the CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

The Patchstack advisory provides details on this broken access control vulnerability in Block Spam By Math Reloaded version 2.2.4; security practitioners should consult https://patchstack.com/database/Wordpress/Plugin/block-spam-by-math-reloaded/vulnerability/wordpress-block-spam-by-math-reloaded-plugin-2-2-4-broken-access-control-vulnerability?_s_id=cve for mitigation guidance.

Details

CWE(s)
CWE-862

Affected Products

jwpegram
block spam by math reloaded
≤ 2.2.4

CVEs Like This One

CVE-2025-22800Shared CWE-862
CVE-2025-7040Shared CWE-862
CVE-2025-67974Shared CWE-862
CVE-2026-28254Shared CWE-862
CVE-2026-3266Shared CWE-862
CVE-2025-69297Shared CWE-862
CVE-2025-69186Shared CWE-862
CVE-2026-25456Shared CWE-862
CVE-2025-13493Shared CWE-862
CVE-2026-30968Shared CWE-862

References