CVE-2025-13812
Unknown Unknown - Not Provided
Unauthorized Access in GamiPress Plugin via Missing Capability Check

Publication date: 2026-01-06

Last updated on: 2026-01-06

Assigner: Wordfence

Description
The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the gamipress_ajax_get_posts and gamipress_ajax_get_users functions in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate users, including their email addresses and to retrieve titles of private posts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-06
Last Modified
2026-01-06
Generated
2026-06-16
AI Q&A
2026-01-06
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13812
EUVD
EUVD-2026-1064
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gamipress gamipress to 7.6.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the GamiPress WordPress plugin allows authenticated users with Subscriber-level access or higher to bypass proper capability checks in the gamipress_ajax_get_posts and gamipress_ajax_get_users functions. As a result, these users can enumerate other users, including accessing their email addresses, and retrieve titles of private posts, which they should not normally be able to see.

Impact Analysis

The impact of this vulnerability is unauthorized disclosure of user data and private content. Attackers with low-level authenticated access can gather email addresses of users and view titles of private posts, potentially leading to privacy breaches, targeted phishing, or other malicious activities that exploit exposed user information.

Mitigation Strategies

Update the GamiPress plugin to version 7.6.2 or later, as this version includes a major update that likely addresses the vulnerability by fixing the missing capability checks. Until the update is applied, restrict Subscriber-level access where possible to limit exposure. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13812. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart