Skip to main content

WooCommerce Points Rewards CVE-2026-10628

| EUVDEUVD-2026-43123 MEDIUM
Missing Authorization (CWE-862)
2026-07-11 Wordfence GHSA-rv47-ph67-qh37
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.4 MEDIUM

PR:L reflects the subscriber-level path covering data exfiltration; C:L corrects the erroneous C:N given documented email and balance exfiltration; unauthenticated wallet drain is a separate, more severe sub-vector.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 11, 2026 - 03:44 vuln.today
CVE Published
Jul 11, 2026 - 02:31 cve.org
MEDIUM 4.3

DescriptionCVE.org

The Points and Rewards for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.10.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to convert and drain any user's reward points into wallet balance, exfiltrate all users' emails and point balances to an attacker-controlled Klaviyo account, overwrite the site's Klaviyo public API key, block or unblock arbitrary users from the points system, and modify campaign banner and heading settings. The nonce used for authentication of these requests (wps-wpr-verify-nonce) is injected into every public-facing page via wp_localize_script(), and the wps_wpr_generate_custom_wallet handler is additionally registered on the wp_ajax_nopriv_ hook, meaning unauthenticated visitors can also obtain a valid nonce and exploit that specific action.

AnalysisAI

Authorization bypass in Points and Rewards for WooCommerce (all versions through 2.10.0) allows authenticated subscribers to drain any user's reward points into a wallet balance, exfiltrate all user emails and point balances to an attacker-controlled Klaviyo account, and overwrite the site's Klaviyo API key - compounding financial fraud with third-party data exfiltration. Critically, the plugin exposes its authentication nonce (wps-wpr-verify-nonce) on every public-facing page via wp_localize_script(), and the wallet-draining handler is registered on the wp_ajax_nopriv_ hook, meaning the most financially damaging action - converting points to wallet balance - is exploitable by unauthenticated visitors. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Load public store page
Delivery
Extract wps-wpr-verify-nonce from JS globals
Exploit
POST to admin-ajax.php with nopriv wallet action
Execution
Convert victim points to wallet balance
Persist
(Optional) Authenticate as subscriber
Impact
Overwrite Klaviyo API key and exfiltrate all user emails

Vulnerability AssessmentAI

Exploitation The wps_wpr_generate_custom_wallet action requires no authentication - it is registered on wp_ajax_nopriv_ and the required nonce is embedded in every public-facing page via wp_localize_script(), meaning any unauthenticated site visitor who can load a single page can obtain a valid nonce and call this action. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS score of 4.3 (PR:L, C:N, I:L) materially understates risk in two ways. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker loads any public page of a vulnerable WooCommerce store, extracts the wps-wpr-verify-nonce value from the page's JavaScript globals, and issues a crafted POST request to wp-admin/admin-ajax.php with action=wps_wpr_generate_custom_wallet targeting a victim user's account - converting their accumulated reward points to spendable wallet balance. A subscriber-level attacker (e.g., a customer account) can additionally call the Klaviyo export handler to redirect all registered users' email addresses and point balances to an attacker-controlled Klaviyo list, and overwrite the store's Klaviyo API key to intercept future marketing data. …
Remediation Upstream fix: commit 3602815 in the WordPress plugin Subversion repository (https://plugins.trac.wordpress.org/changeset?reponame=&old=3602815%40points-and-rewards-for-woocommerce&new=3602815%40points-and-rewards-for-woocommerce) contains the patch; however, a specific released patched version number is not confirmed from available data - verify the current release version on WordPress.org and update to the latest available version beyond 2.10.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-10628 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy