Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
PR:L reflects the subscriber-level path covering data exfiltration; C:L corrects the erroneous C:N given documented email and balance exfiltration; unauthenticated wallet drain is a separate, more severe sub-vector.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Points and Rewards for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.10.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to convert and drain any user's reward points into wallet balance, exfiltrate all users' emails and point balances to an attacker-controlled Klaviyo account, overwrite the site's Klaviyo public API key, block or unblock arbitrary users from the points system, and modify campaign banner and heading settings. The nonce used for authentication of these requests (wps-wpr-verify-nonce) is injected into every public-facing page via wp_localize_script(), and the wps_wpr_generate_custom_wallet handler is additionally registered on the wp_ajax_nopriv_ hook, meaning unauthenticated visitors can also obtain a valid nonce and exploit that specific action.
AnalysisAI
Authorization bypass in Points and Rewards for WooCommerce (all versions through 2.10.0) allows authenticated subscribers to drain any user's reward points into a wallet balance, exfiltrate all user emails and point balances to an attacker-controlled Klaviyo account, and overwrite the site's Klaviyo API key - compounding financial fraud with third-party data exfiltration. Critically, the plugin exposes its authentication nonce (wps-wpr-verify-nonce) on every public-facing page via wp_localize_script(), and the wallet-draining handler is registered on the wp_ajax_nopriv_ hook, meaning the most financially damaging action - converting points to wallet balance - is exploitable by unauthenticated visitors. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The wps_wpr_generate_custom_wallet action requires no authentication - it is registered on wp_ajax_nopriv_ and the required nonce is embedded in every public-facing page via wp_localize_script(), meaning any unauthenticated site visitor who can load a single page can obtain a valid nonce and call this action. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS score of 4.3 (PR:L, C:N, I:L) materially understates risk in two ways. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker loads any public page of a vulnerable WooCommerce store, extracts the wps-wpr-verify-nonce value from the page's JavaScript globals, and issues a crafted POST request to wp-admin/admin-ajax.php with action=wps_wpr_generate_custom_wallet targeting a victim user's account - converting their accumulated reward points to spendable wallet balance. A subscriber-level attacker (e.g., a customer account) can additionally call the Klaviyo export handler to redirect all registered users' email addresses and point balances to an attacker-controlled Klaviyo list, and overwrite the store's Klaviyo API key to intercept future marketing data. … |
| Remediation | Upstream fix: commit 3602815 in the WordPress plugin Subversion repository (https://plugins.trac.wordpress.org/changeset?reponame=&old=3602815%40points-and-rewards-for-woocommerce&new=3602815%40points-and-rewards-for-woocommerce) contains the patch; however, a specific released patched version number is not confirmed from available data - verify the current release version on WordPress.org and update to the latest available version beyond 2.10.0. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43123
GHSA-rv47-ph67-qh37