Executive Summary

CVE-2025-12361 is a vulnerability in the myCred WordPress plugin's Banking Addon, specifically in versions up to 2.9.7.1. The issue arises from missing authorization checks in the plugin's AJAX handler 'get_bank_accounts', which allows authenticated users with Subscriber-level access or higher to retrieve sensitive user information such as user IDs, display names, and email addresses of all users on the site. The vulnerability is due to improper verification that a user is authorized to perform certain actions, potentially allowing attackers to access data they should not have access to. Additionally, the vulnerability relates to the handling of point transactions in the central banking service, where insufficient validation or improper handling could allow manipulation of point balances. [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing authenticated users with low-level access (Subscriber or above) to retrieve sensitive information about all users on the WordPress site, including user IDs, display names, and email addresses. While passwords are not exposed, this information leakage can facilitate targeted phishing attacks, social engineering, or further exploitation. Additionally, flaws in the central banking service's point transaction handling could allow attackers to manipulate point balances, potentially leading to unauthorized point creation or theft within the gamification or loyalty system. [1, 2]

Useful 0 Not Useful 0

Compliance Impact

The vulnerability exposes sensitive user information such as user IDs, display names, and email addresses to unauthorized users, which can be considered a data breach under regulations like GDPR. This unauthorized disclosure of personal data could lead to non-compliance with data protection requirements, potentially resulting in legal and financial penalties. Organizations handling sensitive user data must address this vulnerability promptly to maintain compliance with privacy standards. [1]

Useful 0 Not Useful 0

Detection Guidance

To detect this vulnerability, monitor AJAX requests to the WordPress site for calls to the 'get_bank_accounts' AJAX action, which is vulnerable to unauthorized access. You can use network monitoring tools or web server logs to identify such requests. For example, using command-line tools on the server, you might run: 1. grep 'action=get_bank_accounts' /path/to/access.log 2. Use curl to test the AJAX endpoint with an authenticated user having Subscriber-level access or higher: curl -X POST -d 'action=get_bank_accounts&search=admin' https://yourwordpresssite.com/wp-admin/admin-ajax.php -b cookies.txt 3. Use WP-CLI or custom scripts to simulate AJAX requests and check if sensitive user information (user IDs, display names, emails) is returned without proper authorization. These steps help identify if unauthorized users can access sensitive data via the vulnerable AJAX action. [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include: 1. Update the myCred plugin to a version later than 2.9.7.1 where the vulnerability is fixed. 2. Restrict access to the 'get_bank_accounts' AJAX action by ensuring proper authorization checks are in place, limiting it to admin users only. 3. Disable or restrict the Banking Addon module if not in use. 4. Implement web application firewall (WAF) rules to block unauthorized AJAX requests targeting 'get_bank_accounts'. 5. Review and tighten user roles and permissions to prevent Subscriber-level users from accessing sensitive AJAX endpoints. These steps reduce the risk of unauthorized data exposure and manipulation of point balances. [1, 2]

Useful 0 Not Useful 0