Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Network-accessible AJAX endpoint with publicly broadcast nonce removes all authentication barriers; impact is limited to partial confidentiality disclosure with no integrity or availability consequence.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The GamiPress - Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.9.4 via the 'access' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view private GamiPress activity log entries belonging to any user, including badge earnings, points balance changes, and event records from integrated plugins such as WooCommerce, LearnDash, and BuddyPress. This is exploitable by any unauthenticated visitor because the required 'gamipress' nonce is broadcast to all front-end users via wp_localize_script on the wp_enqueue_scripts hook, making the sole authentication barrier trivially bypassable.
AnalysisAI
Unauthenticated information disclosure in the GamiPress WordPress plugin (all versions through 7.9.4) allows any site visitor to read private activity log entries belonging to arbitrary users, including badge earnings, points balance changes, WooCommerce purchase events, LearnDash course completions, and BuddyPress activity records. The IDOR flaw in the 'access' parameter is rendered trivially exploitable because the sole authentication gate - a gamipress nonce - is deliberately broadcast to every front-end visitor via wp_localize_script, meaning no credential or privilege is required beyond loading any page on the target site. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The GamiPress plugin must be installed and active on a WordPress site running any version up to and including 7.9.4. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 5.3 Medium score (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) accurately reflects the narrow confidentiality-only impact and absence of code execution, but understates practical urgency because the score does not capture how trivially the nonce bypass removes the only exploitation barrier. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker visits any page of a WordPress site running GamiPress through 7.9.4 and extracts the gamipress nonce embedded in the page's JavaScript by the wp_localize_script call. The attacker then sends a crafted HTTP POST to /wp-admin/admin-ajax.php with a valid gamipress action and an 'access' parameter set to an enumerated or guessed user identifier, receiving that user's private activity log data - including WooCommerce order events, LearnDash course completions, and badge history - in the response. … |
| Remediation | Upgrade the GamiPress plugin to a version beyond 7.9.4 once a patched release is published to WordPress.org; an upstream fix has been committed in SVN changeset 3593749 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3593749%40gamipress&new=3593749%40gamipress), but a released patched version number is not independently confirmed from the available data - monitor the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/3006261b-a09e-4cff-b49f-49e992c6fe0b for confirmation. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42540
GHSA-hcgf-cxhm-8vcm