Description
The myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.9.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to approve withdrawal requests, modify user point balances, and manipulate the payment processing system via the cashcred_pay_now AJAX action.
Published: 2025-12-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of user point balances and withdrawal approvals leading to potential financial loss.
Action: Apply Patch
AI Analysis

Impact

The myCred Points Management System plugin for WordPress has a missing authorization flaw that allows unauthenticated users to approve withdrawal requests, alter user point balances, and tamper with payment processing through the cashcred_pay_now AJAX action. This integrity violation could enable attackers to drain points, redistribute rewards, or manipulate payouts, potentially resulting in financial loss. The weakness is a classic authorization bypass, identified as CWE‑862.

Affected Systems

The vulnerability affects the myCred plugin by saadiqbal, specifically versions up to and including 2.9.7. WordPress sites running any of these releases are at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while an EPSS of less than 1% suggests a very low likelihood of active exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by sending unauthenticated HTTP requests to the cashcred_pay_now AJAX endpoint, bypassing all permission checks.

Generated by OpenCVE AI on April 21, 2026 at 00:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the myCred plugin to the latest release, which implements proper authorization for the cashcred_pay_now action and removes the exploit path.
  • If an upgrade is not immediately possible, configure WordPress or your web server to restrict access to the cashcred_pay_now AJAX endpoint so that only authenticated users with appropriate privileges can invoke it.
  • Audit and, if necessary, disable unused cashcred modules or phishing endpoints to reduce the attack surface, ensuring that only required AJAX actions remain exposed.

Generated by OpenCVE AI on April 21, 2026 at 00:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 14 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Mycred
Mycred mycred
Saadiqbal
Saadiqbal mycred
Wordpress
Wordpress wordpress
Vendors & Products Mycred
Mycred mycred
Saadiqbal
Saadiqbal mycred
Wordpress
Wordpress wordpress

Sat, 13 Dec 2025 06:00:00 +0000

Type Values Removed Values Added
Description The myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.9.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to approve withdrawal requests, modify user point balances, and manipulate the payment processing system via the cashcred_pay_now AJAX action.
Title myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program <= 2.9.7 - Missing Authorization to Unauthenticated Withdrawal Request Approval
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Mycred Mycred
Saadiqbal Mycred
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:15:32.696Z

Reserved: 2025-10-27T17:02:30.340Z

Link: CVE-2025-12362

cve-icon Vulnrichment

Updated: 2025-12-15T15:24:52.947Z

cve-icon NVD

Status : Deferred

Published: 2025-12-13T16:16:46.373

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12362

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:00:12Z

Weaknesses