Skip to main content

Gamipress Gamification Plugin To Reward Points Achievements Badges Ranks In Wordpress

1 CVEs product

Monthly

CVE-2026-13450 MEDIUM This Month

Unauthenticated information disclosure in the GamiPress WordPress plugin (all versions through 7.9.4) allows any site visitor to read private activity log entries belonging to arbitrary users, including badge earnings, points balance changes, WooCommerce purchase events, LearnDash course completions, and BuddyPress activity records. The IDOR flaw in the 'access' parameter is rendered trivially exploitable because the sole authentication gate - a gamipress nonce - is deliberately broadcast to every front-end visitor via wp_localize_script, meaning no credential or privilege is required beyond loading any page on the target site. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the near-zero exploitation complexity makes it a practical mass-exploitation candidate against any unpatched deployment.

Authentication Bypass WordPress Gamipress Gamification Plugin To Reward Points Achievements Badges Ranks In Wordpress
NVD
CVSS 3.1
5.3
EPSS
0.4%
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated information disclosure in the GamiPress WordPress plugin (all versions through 7.9.4) allows any site visitor to read private activity log entries belonging to arbitrary users, including badge earnings, points balance changes, WooCommerce purchase events, LearnDash course completions, and BuddyPress activity records. The IDOR flaw in the 'access' parameter is rendered trivially exploitable because the sole authentication gate - a gamipress nonce - is deliberately broadcast to every front-end visitor via wp_localize_script, meaning no credential or privilege is required beyond loading any page on the target site. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the near-zero exploitation complexity makes it a practical mass-exploitation candidate against any unpatched deployment.

Authentication Bypass WordPress Gamipress Gamification Plugin To Reward Points Achievements Badges Ranks In Wordpress
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy