CVE-2025-12362
Unknown Unknown - Not Provided
Missing Authorization in myCred Plugin Allows Unauthorized Point Manipulation

Publication date: 2025-12-13

Last updated on: 2025-12-13

Assigner: Wordfence

Description
The myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.9.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to approve withdrawal requests, modify user point balances, and manipulate the payment processing system via the cashcred_pay_now AJAX action.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-13
Last Modified
2025-12-13
Generated
2026-06-16
AI Q&A
2025-12-13
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12362
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress mycred *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the myCred WordPress plugin (up to version 2.9.7) due to missing authorization checks. It allows unauthenticated attackers to perform actions they should not be allowed to, such as approving withdrawal requests, modifying user point balances, and manipulating the payment processing system via the cashcred_pay_now AJAX action.

Impact Analysis

An attacker exploiting this vulnerability could approve unauthorized withdrawal requests, alter user point balances, and interfere with payment processing. This could lead to financial loss, manipulation of loyalty or reward systems, and unauthorized transactions within the affected WordPress site.

Mitigation Strategies

To mitigate this vulnerability, immediately update the myCred plugin to a version later than 2.9.7 where the missing authorization issue is fixed. If an update is not available, restrict access to the cashcred_pay_now AJAX action and monitor for unauthorized withdrawal approvals or point modifications. Additionally, review user permissions and audit recent transactions for suspicious activity.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or suspicious AJAX requests to the 'cashcred_pay_now' action in the myCred plugin on your WordPress site. Specifically, look for unauthenticated POST requests attempting to approve withdrawal requests or modify user point balances. You can detect such attempts by inspecting web server logs or using command-line tools like curl or wget to simulate requests and observe responses. Example commands to check for the presence of the vulnerable AJAX endpoint include: 1. Using curl to test if the AJAX action is accessible: curl -X POST -d 'action=cashcred_pay_now' https://yourwordpresssite.com/wp-admin/admin-ajax.php 2. Using grep to search web server logs for 'cashcred_pay_now' requests: grep 'cashcred_pay_now' /var/log/apache2/access.log 3. Using a network monitoring tool (e.g., tcpdump) to capture AJAX requests: sudo tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' Note that detecting exploitation attempts requires monitoring for POST requests to admin-ajax.php with the 'action=cashcred_pay_now' parameter, especially those coming from unauthenticated users or IPs not associated with legitimate users. Additionally, reviewing WordPress comments or logs for unexpected withdrawal approvals or balance changes may help identify exploitation. Since the vulnerability involves missing authorization checks, any such unauthorized actions are indicators of compromise. [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12362. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart