Gamipress
Monthly
SQL injection in the GamiPress WordPress plugin versions 7.8.7 and earlier allows authenticated users with subscriber-level privileges to inject arbitrary SQL queries against the WordPress database. The flaw was reported by Patchstack and affects standard installations of the plugin, enabling attackers with the lowest authenticated role to read sensitive database contents and cause limited integrity or availability impact via the scope-changed condition. No public exploit identified at time of analysis.
Unauthenticated information disclosure in the GamiPress WordPress plugin (versions through 7.6.3) allows remote attackers to read restricted data by exploiting missing authorization checks on plugin endpoints. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no credentials or user interaction are required, though impact is limited to low confidentiality exposure with no integrity or availability consequences. No public exploit code or active exploitation has been identified at time of analysis, and an EPSS score of 0.03% (8th percentile) reflects low real-world exploitation probability.
GamiPress versions 7.6.6 and earlier contain a Cross-Site Request Forgery (CSRF) vulnerability that allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users through maliciously crafted requests. An attacker can exploit this to modify plugin settings, create or delete gamification elements, or alter user data without the target user's knowledge or consent. The vulnerability requires user interaction (clicking a malicious link) but has no authentication requirement for the attack itself, making it a moderate-risk issue suitable for opportunistic exploitation against WordPress administrators.
The The GamiPress - Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution via gamipress_do_shortcode(). Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.
The GamiPress - Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 21.0%.
The The GamiPress - Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution via the. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.
SQL injection in the GamiPress WordPress plugin versions 7.8.7 and earlier allows authenticated users with subscriber-level privileges to inject arbitrary SQL queries against the WordPress database. The flaw was reported by Patchstack and affects standard installations of the plugin, enabling attackers with the lowest authenticated role to read sensitive database contents and cause limited integrity or availability impact via the scope-changed condition. No public exploit identified at time of analysis.
Unauthenticated information disclosure in the GamiPress WordPress plugin (versions through 7.6.3) allows remote attackers to read restricted data by exploiting missing authorization checks on plugin endpoints. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no credentials or user interaction are required, though impact is limited to low confidentiality exposure with no integrity or availability consequences. No public exploit code or active exploitation has been identified at time of analysis, and an EPSS score of 0.03% (8th percentile) reflects low real-world exploitation probability.
GamiPress versions 7.6.6 and earlier contain a Cross-Site Request Forgery (CSRF) vulnerability that allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users through maliciously crafted requests. An attacker can exploit this to modify plugin settings, create or delete gamification elements, or alter user data without the target user's knowledge or consent. The vulnerability requires user interaction (clicking a malicious link) but has no authentication requirement for the attack itself, making it a moderate-risk issue suitable for opportunistic exploitation against WordPress administrators.
The The GamiPress - Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution via gamipress_do_shortcode(). Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.
The GamiPress - Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 21.0%.
The The GamiPress - Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution via the. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.