CVE-2026-24581 - Vulnerability Details

- WordPress Points and Rewards for WooCommerce plugin <= 2.9.5 - Broken Access Control vulnerability

Description

Missing Authorization vulnerability in WP Swings Points and Rewards for WooCommerce points-and-rewards-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Points and Rewards for WooCommerce: from n/a through <= 2.9.5.

Published: 2026-01-23

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability is a missing authorization flaw in the WP Swings Points and Rewards for WooCommerce plugin, where improper access control checks enable a user to execute admin‑level functions without proper privileges. As a result, an attacker can manipulate points, rewards, or related settings beyond their allowed scope, potentially leading to financial loss or credential compromise for target accounts. The weakness is categorized as CWE‑862, an improper authorization weakness.

Affected Systems

The problem affects the WP Swings Points and Rewards for WooCommerce plugin, in all releases up to and including version 2.9.5. Users running any older or older patch edition of the plugin are potentially exposed.

Risk and Exploitability

The CVSS base score of 5.4 indicates moderate severity, and the EPSS probability is less than 1%, suggesting a low but non‑zero likelihood of exploitation. The issue has not been reported in CISA’s KEV catalog. Because the flaw involves incorrect assignment of access rights, an attacker who can exploit any authenticated user session or who can create a new user will be able to bypass restrictions. The attack could be performed remotely via legitimate plugin interfaces, requiring no special network access.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

WP Swings

Points and Rewards for WooCommerce

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.9.5

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—
Wpswings	Points And Rewards For Woocommerce	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Points and Rewards for WooCommerce plugin to version 2.9.6 or later to obtain the official fix.
Review and tighten role‑based permissions for the plugin to ensure only authorized users can access sensitive administration features.
Disable or remove the plugin if it is not required for business processes, and monitor administrative logs for any anomalous activity.

Generated by OpenCVE AI on April 16, 2026 at 01:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00037.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/points-and-rewards-for-woocommerce/vulnerability/wordpress-points-and-rewards-for-woocommerce-plugin-2-9-5-broken-access-control-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}`	cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}`

Mon, 26 Jan 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 26 Jan 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress Wpswings Wpswings points And Rewards For Woocommerce
Vendors & Products		Wordpress Wordpress wordpress Wpswings Wpswings points And Rewards For Woocommerce

Fri, 23 Jan 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		Missing Authorization vulnerability in WP Swings Points and Rewards for WooCommerce points-and-rewards-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Points and Rewards for WooCommerce: from n/a through <= 2.9.5.
Title		WordPress Points and Rewards for WooCommerce plugin <= 2.9.5 - Broken Access Control vulnerability
Weaknesses		CWE-862
References		https://patchstack.com/database/Wordpress/Plugin/points-and-rewards-for-woocommerce/vulnerability/wordpress-points-and-rewards-for-woocommerce-plugin-2-9-5-broken-access-control-vulnerability?_s_id=cve

Subscriptions

Wordpress Wordpress

Wpswings Points And Rewards For Woocommerce

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-01-23T14:28:59.230Z

Updated: 2026-04-23T14:14:06.816Z

Reserved: 2026-01-23T12:32:07.880Z

Link: CVE-2026-24581

Vulnrichment

Updated: 2026-01-26T18:25:52.153Z

NVD

Status : Deferred

Published: 2026-01-23T15:16:16.050

Modified: 2026-04-23T15:36:51.817

Link: CVE-2026-24581

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T01:45:20Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object