WordPress Plugin Vulnerabilities

myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program < 2.9.7.2 - Missing Authorization to Sensitive Information Exposure

Description

The myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.9.7.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive information including user IDs, display names, and email addresses of all users on the site via the get_bank_accounts AJAX action. Passwords are not exposed.

Affects Plugins

Plugin icon
mycred
Fixed in 2.9.7.2

References

CVE
CVE-2025-12361
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/43b05697-bc36-4f32-86b4-2feef892fe42

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Rafshanzani Suhada
Verified
No
WPVDB ID
05a09dec-666a-4329-86e2-0c815fa3a5e8

Timeline

Publicly Published
2025-12-18 (about 6 months ago)
Added
2025-12-18 (about 6 months ago)
Last Updated
2025-12-19 (about 6 months ago)

Other

Published
Title
Published
2025-02-16
Title
ts-tree <= 0.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion
Published
2026-06-17
Title
Gutenverse Companion < 2.5.1 - Missing Authorization
Published
2026-03-20
Title
Kargo Takip < 0.2.4 - Missing Authorization
Published
2025-04-04
Title
Display product variations dropdown on shop page <= 1.1.3 - Missing Authorization
Published
2025-08-15
Title
School Management <= 93.2.0 - Missing Authorization