Description
The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the gamipress_ajax_get_posts and gamipress_ajax_get_users functions in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate users, including their email addresses and to retrieve titles of private posts.
Published: 2026-01-06
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Exposure
Action: Apply Update
AI Analysis

Impact

An unauthorized data exposure flaw was discovered in the WordPress GamiPress plugin. The plugin's gamipress_ajax_get_posts and gamipress_ajax_get_users AJAX callbacks lack a required capability check, allowing an authenticated user with a Subscriber role or higher to retrieve sensitive information. An attacker can enumerate all registered users, obtain their email addresses, and view the titles of private posts, thereby exposing non‑public data.

Affected Systems

The vulnerability impacts all installations of the GamiPress plugin version 7.6.1 and earlier when running within a WordPress environment. Any site that has the plugin activated and has not yet upgraded beyond 7.6.1 is affected.

Risk and Exploitability

The CVSS score of 4.3 denotes moderate severity, while the EPSS score of less than 1% indicates a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers need only possess valid credentials for a user role with Subscriber privileges or higher, then they can simply send AJAX requests to the exposed endpoints to obtain user lists and private post titles. No additional privileges are required beyond the authenticated session, making the threat vector accessible to any authenticated user on the site.

Generated by OpenCVE AI on April 21, 2026 at 16:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update GamiPress to the latest version that includes the capability check fix.
  • If an immediate update is not possible, remove or downgrade the Subscriber role’s capabilities that allow access to user data.
  • Add a firewall rule to block unauthenticated requests to the gamipress_ajax_get_posts and gamipress_ajax_get_users endpoints.
  • Consider disabling or uninstalling GamiPress if gamification functionality is not required.

Generated by OpenCVE AI on April 21, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 06 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Gamipress
Gamipress gamipress
Wordpress
Wordpress wordpress
Vendors & Products Gamipress
Gamipress gamipress
Wordpress
Wordpress wordpress

Tue, 06 Jan 2026 07:30:00 +0000

Type Values Removed Values Added
Description The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the gamipress_ajax_get_posts and gamipress_ajax_get_users functions in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate users, including their email addresses and to retrieve titles of private posts.
Title GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress <= 7.6.1 - Missing Authorization to Authenticated (Subscriber+) Information Exposure
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Gamipress Gamipress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:15:00.410Z

Reserved: 2025-11-30T19:30:05.271Z

Link: CVE-2025-13812

cve-icon Vulnrichment

Updated: 2026-01-06T14:32:48.568Z

cve-icon NVD

Status : Deferred

Published: 2026-01-06T08:15:51.707

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13812

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:00:12Z

Weaknesses