WordPress Plugin Vulnerabilities

GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress < 7.6.2 - Missing Authorization to Authenticated (Subscriber+) Information Exposure

Description

The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the gamipress_ajax_get_posts and gamipress_ajax_get_users functions in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate users, including their email addresses and to retrieve titles of private posts.

Affects Plugins

Plugin icon
gamipress
Fixed in 7.6.2

References

CVE
CVE-2025-13812
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/acfdd579-0be9-476b-90cd-07f417712691

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
kr0d
Verified
No
WPVDB ID
30697559-de97-4b21-94da-2f43a7f14c8f

Timeline

Publicly Published
2026-01-05 (about 5 months ago)
Added
2026-01-05 (about 5 months ago)
Last Updated
2026-01-06 (about 5 months ago)

Other

Published
Title
Published
2024-08-16
Title
Presto Player < 3.0.3 - Missing Authorization
Published
2023-11-16
Title
SearchIQ < 4.5 - Unauthenticated Sensitive Information Disclosure
Published
2025-11-24
Title
atec Duplicate Page & Post < 1.2.21 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post Duplication and Data Exposure
Published
2025-06-19
Title
Zara 4 Image Compression <= 1.2.17.2 - Missing Authorization
Published
2024-02-09
Title
RSS Aggregator by Feedzy < 4.4.3 - Missing Authorization to Arbitrary Page Creation and Publication