CVE-2025-15260
MEDIUMCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2Description
The MyRewards - Loyalty Points and Rewards for WooCommerce plugin for WordPress is vulnerable to missing authorization in all versions up to, and including, 5.6.0. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'ajax' function. This makes it possible for authenticated attackers, with subscriber level access and above, to modify, add, or delete loyalty program earning rules, including manipulating point multipliers to arbitrary values.
Analysis
Loyalty Points and Rewards for WooCommerce versions up to 5.6.0. is affected by missing authorization (CVSS 6.5).
Technical Context
This vulnerability (CWE-862: Missing Authorization) affects Loyalty Points and Rewards for WooCommerce. The MyRewards – Loyalty Points and Rewards for WooCommerce plugin for WordPress is vulnerable to missing authorization in all versions up to, and including, 5.6.0. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'ajax' function. This makes it possible for authenticated attackers, with subscriber level access and above, to modify, add, or delete loyalty program earning rules, including manipulating point multipliers to arbitrary values.
Affected Products
Product: Loyalty Points and Rewards for WooCommerce. Versions: up to 5.6.0..
Remediation
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today