CVE-2025-12362
Missing Authorization in myCred Plugin Allows Unauthorized Point Manipulation
Publication date: 2025-12-13
Last updated on: 2025-12-13
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | mycred | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the myCred plugin to a version later than 2.9.7 where the missing authorization issue is fixed. If an update is not available, restrict access to the cashcred_pay_now AJAX action and monitor for unauthorized withdrawal approvals or point modifications. Additionally, review user permissions and audit recent transactions for suspicious activity.
Can you explain this vulnerability to me?
This vulnerability exists in the myCred WordPress plugin (up to version 2.9.7) due to missing authorization checks. It allows unauthenticated attackers to perform actions they should not be allowed to, such as approving withdrawal requests, modifying user point balances, and manipulating the payment processing system via the cashcred_pay_now AJAX action.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability could approve unauthorized withdrawal requests, alter user point balances, and interfere with payment processing. This could lead to financial loss, manipulation of loyalty or reward systems, and unauthorized transactions within the affected WordPress site.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized or suspicious AJAX requests to the 'cashcred_pay_now' action in the myCred plugin on your WordPress site. Specifically, look for unauthenticated POST requests attempting to approve withdrawal requests or modify user point balances. You can detect such attempts by inspecting web server logs or using command-line tools like curl or wget to simulate requests and observe responses. Example commands to check for the presence of the vulnerable AJAX endpoint include: 1. Using curl to test if the AJAX action is accessible: curl -X POST -d 'action=cashcred_pay_now' https://yourwordpresssite.com/wp-admin/admin-ajax.php 2. Using grep to search web server logs for 'cashcred_pay_now' requests: grep 'cashcred_pay_now' /var/log/apache2/access.log 3. Using a network monitoring tool (e.g., tcpdump) to capture AJAX requests: sudo tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' Note that detecting exploitation attempts requires monitoring for POST requests to admin-ajax.php with the 'action=cashcred_pay_now' parameter, especially those coming from unauthenticated users or IPs not associated with legitimate users. Additionally, reviewing WordPress comments or logs for unexpected withdrawal approvals or balance changes may help identify exploitation. Since the vulnerability involves missing authorization checks, any such unauthorized actions are indicators of compromise. [1, 3]