Skip to main content

GamiPress CVE-2026-24546

| EUVD-2026-31723 MEDIUM
Missing Authorization (CWE-862)
2026-05-25 Patchstack GHSA-5v8g-2w9g-6cwm
Authentication Bypass Gamipress
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 11:47 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in Ruben Garcia GamiPress allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects GamiPress: from n/a through 7.6.3.

AnalysisAI

Unauthenticated information disclosure in the GamiPress WordPress plugin (versions through 7.6.3) allows remote attackers to read restricted data by exploiting missing authorization checks on plugin endpoints. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no credentials or user interaction are required, though impact is limited to low confidentiality exposure with no integrity or availability consequences. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running GamiPress ≤7.6.3
Exploit
Send unauthenticated HTTP request to unprotected plugin endpoint
Execution
Bypass missing authorization check
Impact
Receive restricted gamification data in response
Sign in to reveal

Vulnerability AssessmentAI

Exploitation No special conditions are required beyond the target WordPress site having the GamiPress plugin installed and active in a version at or below 7.6.3. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 5.3 Medium score is driven by network reachability (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), and no user interaction (UI:N), but impact is constrained to low confidentiality (C:L) with zero integrity or availability effect (I:N/A:N, S:U). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker identifies a WordPress site running GamiPress 7.6.3 or earlier, then sends a crafted HTTP request to a plugin endpoint (likely a REST route or nopriv AJAX action) that lacks a capability check, receiving restricted gamification data in the response. No exploit code has been confirmed publicly, but the low attack complexity (AC:L) and absence of authentication requirements (PR:N) mean that any attacker with knowledge of the affected endpoint could reproduce this without specialized tooling.
Remediation The primary remediation is to update the GamiPress plugin beyond version 7.6.3; however, the exact patched release version is not confirmed from the available input data - the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/gamipress/vulnerability/wordpress-gamipress-plugin-7-6-3-broken-access-control-vulnerability should be consulted to verify the minimum safe version before updating. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48874 HIGH
8.5 Jun 15

SQL injection in the GamiPress WordPress plugin versions 7.8.7 and earlier allows authenticated users with subscriber-le

Share

CVE-2026-24546 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy