CVE-2025-15260
Authorization Bypass in MyRewards WooCommerce Plugin Allows Rule Manipulation
Publication date: 2026-02-04
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | myrewards | to 5.6.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The MyRewards β Loyalty Points and Rewards for WooCommerce plugin for WordPress has a vulnerability due to missing authorization checks in its 'ajax' function. This means the plugin does not properly verify if a user is allowed to perform certain actions.
As a result, authenticated users with subscriber level access or higher can exploit this flaw to modify, add, or delete loyalty program earning rules. This includes manipulating point multipliers to arbitrary values, potentially altering the loyalty points system.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized modification of loyalty program rules by users who should not have such privileges. Attackers with subscriber level access can manipulate point multipliers, potentially leading to fraudulent accumulation or redemption of loyalty points.
Such unauthorized changes can undermine the integrity of the loyalty system, cause financial loss, damage customer trust, and disrupt business operations related to rewards and customer retention.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves missing authorization checks in the 'ajax' function of the MyRewards β Loyalty Points and Rewards for WooCommerce plugin, allowing authenticated users with subscriber access or higher to modify loyalty program rules."}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your system or network, you can monitor AJAX requests targeting the WooCommerce MyRewards plugin endpoints, especially those that attempt to modify loyalty program earning rules.'}, {'type': 'paragraph', 'content': 'Suggested commands include inspecting web server logs for suspicious POST requests to AJAX handlers related to the plugin, for example:'}, {'type': 'list_item', 'content': "Using grep to find AJAX requests in access logs: grep -i 'wp-admin/admin-ajax.php' /var/log/apache2/access.log | grep -i 'lws_adminpanel_editlist'"}, {'type': 'list_item', 'content': 'Checking for unusual parameters or actions in AJAX requests that modify loyalty points or rules.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring user activity for subscriber-level accounts performing administrative actions related to loyalty rules can help detect exploitation.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the MyRewards β Loyalty Points and Rewards for WooCommerce plugin to a version later than 5.6.0 where the authorization checks are properly implemented.
If an update is not immediately possible, restrict access to the plugin's AJAX endpoints to trusted users only, and review user roles to ensure that subscriber-level users do not have unnecessary permissions.
Additionally, monitor logs for suspicious activity and consider temporarily disabling the plugin until a patch is applied.