Description
Missing Authorization vulnerability in Long Watch Studio MyRewards woorewards allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MyRewards: from n/a through <= 5.7.3.
Published: 2026-04-15
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Broken Access Control leading to privilege escalation
Action: Immediate patch
AI Analysis

Impact

The vulnerability is a missing authorization check in the Long Watch Studio MyRewards plugin that allows an attacker to bypass intended access controls. This flaw can enable unauthorized users to perform privileged actions through the plugin’s interface or web endpoints, effectively escalating privileges within the WordPress site. The weakness falls under the privilege escalation category.

Affected Systems

The affected product is the WordPress plugin MyRewards from Long Watch Studio (also known as woorewards), with all releases through version 5.7.3 vulnerable. Any WordPress installation that has this plugin installed and uses one of those versions is at risk, regardless of the WordPress core version.

Risk and Exploitability

There is no published CVSS score or EPSS value, and the issue is not listed in CISA’s KEV catalog, so the objective exploit probability is unknown. However, because the flaw is an access control bypass, it can be leveraged by anyone who can access the plugin’s web interface, making the potential impact significant if the site is publicly reachable or if an attacker can obtain basic user credentials. The most likely attack vector is through crafted HTTP requests to the plugin’s administrative endpoints, requiring only web access to the vulnerable WordPress instance.

Generated by OpenCVE AI on April 15, 2026 at 11:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MyRewards to a version newer than 5.7.3 to remove the missing authorization check.
  • Apply additional access restrictions to the plugin’s administrative URLs using .htaccess or a web application firewall, ensuring only administrators can reach them.
  • Perform a review of all active users on the WordPress site and disable or delete accounts that should not have administrative access to the plugin.

Generated by OpenCVE AI on April 15, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Long Watch Studio
Long Watch Studio myrewards
Wordpress
Wordpress wordpress
Vendors & Products Long Watch Studio
Long Watch Studio myrewards
Wordpress
Wordpress wordpress

Wed, 15 Apr 2026 10:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Long Watch Studio MyRewards woorewards allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MyRewards: from n/a through <= 5.7.3.
Title WordPress MyRewards plugin <= 5.7.3 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Long Watch Studio Myrewards
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-15T10:21:36.068Z

Reserved: 2026-04-15T09:20:42.117Z

Link: CVE-2026-40786

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-15T11:16:37.153

Modified: 2026-04-15T11:16:37.153

Link: CVE-2026-40786

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:52:56Z

Weaknesses