CVE-2026-10628
Received Received - Intake

Authorization Bypass in Points and Rewards for WooCommerce

Vulnerability report for CVE-2026-10628, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-11

Last updated on: 2026-07-11

Assigner: Wordfence

Description

The Points and Rewards for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.10.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to convert and drain any user's reward points into wallet balance, exfiltrate all users' emails and point balances to an attacker-controlled Klaviyo account, overwrite the site's Klaviyo public API key, block or unblock arbitrary users from the points system, and modify campaign banner and heading settings. The nonce used for authentication of these requests (wps-wpr-verify-nonce) is injected into every public-facing page via wp_localize_script(), and the wps_wpr_generate_custom_wallet handler is additionally registered on the wp_ajax_nopriv_ hook, meaning unauthenticated visitors can also obtain a valid nonce and exploit that specific action.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-11
Last Modified
2026-07-11
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
woocommerce points_and_rewards to 2.10.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows attackers to exfiltrate all users' emails and point balances to an attacker-controlled account, which could lead to unauthorized disclosure of personal data.

Such unauthorized access and data exfiltration may result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information.

Additionally, the ability to modify user states and campaign settings without proper authorization could undermine data integrity and security controls mandated by these standards.

Executive Summary

The Points and Rewards for WooCommerce plugin for WordPress has an authorization bypass vulnerability in all versions up to and including 2.10.0. This happens because the plugin does not properly verify if a user is authorized to perform certain actions.

As a result, authenticated attackers with subscriber-level access or higher can exploit this flaw to convert and drain any user's reward points into their wallet balance, steal all users' emails and point balances by sending them to an attacker-controlled Klaviyo account, overwrite the site's Klaviyo public API key, block or unblock arbitrary users from the points system, and modify campaign banner and heading settings.

Additionally, the nonce used for authentication is exposed on every public-facing page, and one handler is registered to allow unauthenticated visitors to obtain a valid nonce, enabling exploitation even without logging in.

Impact Analysis

This vulnerability can lead to unauthorized manipulation of user reward points, allowing attackers to drain points from any user and convert them to their own wallet balance.

Attackers can exfiltrate sensitive user information such as emails and point balances to an external attacker-controlled account.

The site’s Klaviyo public API key can be overwritten, potentially disrupting legitimate marketing or communication functions.

Attackers can block or unblock users arbitrarily within the points system and modify campaign banners and headings, potentially damaging the site's reputation or user experience.

Because unauthenticated visitors can obtain a valid nonce for some actions, the risk extends beyond logged-in users.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10628. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart