CVE-2025-13812
Unauthorized Access in GamiPress Plugin via Missing Capability Check
Publication date: 2026-01-06
Last updated on: 2026-01-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gamipress | gamipress | to 7.6.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the GamiPress WordPress plugin allows authenticated users with Subscriber-level access or higher to bypass proper capability checks in the gamipress_ajax_get_posts and gamipress_ajax_get_users functions. As a result, these users can enumerate other users, including accessing their email addresses, and retrieve titles of private posts, which they should not normally be able to see.
How can this vulnerability impact me? :
The impact of this vulnerability is unauthorized disclosure of user data and private content. Attackers with low-level authenticated access can gather email addresses of users and view titles of private posts, potentially leading to privacy breaches, targeted phishing, or other malicious activities that exploit exposed user information.
What immediate steps should I take to mitigate this vulnerability?
Update the GamiPress plugin to version 7.6.2 or later, as this version includes a major update that likely addresses the vulnerability by fixing the missing capability checks. Until the update is applied, restrict Subscriber-level access where possible to limit exposure. [1]