Skip to main content

GamiPress CVE-2026-13450

| EUVDEUVD-2026-42540 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-09 Wordfence GHSA-hcgf-cxhm-8vcm
5.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
5.3 MEDIUM

Network-accessible AJAX endpoint with publicly broadcast nonce removes all authentication barriers; impact is limited to partial confidentiality disclosure with no integrity or availability consequence.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 09, 2026 - 09:01 vuln.today
CVE Published
Jul 09, 2026 - 07:55 nvd
MEDIUM 5.3

DescriptionCVE.org

The GamiPress - Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.9.4 via the 'access' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view private GamiPress activity log entries belonging to any user, including badge earnings, points balance changes, and event records from integrated plugins such as WooCommerce, LearnDash, and BuddyPress. This is exploitable by any unauthenticated visitor because the required 'gamipress' nonce is broadcast to all front-end users via wp_localize_script on the wp_enqueue_scripts hook, making the sole authentication barrier trivially bypassable.

AnalysisAI

Unauthenticated information disclosure in the GamiPress WordPress plugin (all versions through 7.9.4) allows any site visitor to read private activity log entries belonging to arbitrary users, including badge earnings, points balance changes, WooCommerce purchase events, LearnDash course completions, and BuddyPress activity records. The IDOR flaw in the 'access' parameter is rendered trivially exploitable because the sole authentication gate - a gamipress nonce - is deliberately broadcast to every front-end visitor via wp_localize_script, meaning no credential or privilege is required beyond loading any page on the target site. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Load any page on the target WordPress site
Delivery
Extract gamipress nonce from wp_localize_script JavaScript output
Exploit
Identify or enumerate target user identifier
Execution
Craft POST request to /wp-admin/admin-ajax.php with forged 'access' parameter
Impact
Receive private activity log records for victim user

Vulnerability AssessmentAI

Exploitation The GamiPress plugin must be installed and active on a WordPress site running any version up to and including 7.9.4. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 5.3 Medium score (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) accurately reflects the narrow confidentiality-only impact and absence of code execution, but understates practical urgency because the score does not capture how trivially the nonce bypass removes the only exploitation barrier. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker visits any page of a WordPress site running GamiPress through 7.9.4 and extracts the gamipress nonce embedded in the page's JavaScript by the wp_localize_script call. The attacker then sends a crafted HTTP POST to /wp-admin/admin-ajax.php with a valid gamipress action and an 'access' parameter set to an enumerated or guessed user identifier, receiving that user's private activity log data - including WooCommerce order events, LearnDash course completions, and badge history - in the response. …
Remediation Upgrade the GamiPress plugin to a version beyond 7.9.4 once a patched release is published to WordPress.org; an upstream fix has been committed in SVN changeset 3593749 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3593749%40gamipress&new=3593749%40gamipress), but a released patched version number is not independently confirmed from the available data - monitor the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/3006261b-a09e-4cff-b49f-49e992c6fe0b for confirmation. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13450 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy